diff --git a/README.md b/README.md
index a7caf0e2..e133176e 100644
--- a/README.md
+++ b/README.md
@@ -91,6 +91,8 @@ env:
 
 The list of secret env variables will be expanded at run time from your local machine. So a reference to a secret `DATABASE_PASSWORD` will look for `ENV["DATABASE_PASSWORD"]` on the machine running MRSK. Just like with build secrets.
 
+If the referenced secret ENVs are missing, the configuration will be halted with a `KeyError` exception.
+
 Note: Marking an ENV as secret currently only redacts its value in the output for MRSK. The ENV is still injected in the clear into the container at runtime.
 
 
diff --git a/lib/mrsk/configuration.rb b/lib/mrsk/configuration.rb
index e58cd0fc..02bb934a 100644
--- a/lib/mrsk/configuration.rb
+++ b/lib/mrsk/configuration.rb
@@ -140,7 +140,7 @@ class Mrsk::Configuration
     end
 
     def expand_env_secrets
-      config.env["secret"].to_h { |key| [ key, ENV[key] ] }
+      config.env["secret"].to_h { |key| [ key, ENV.fetch(key) ] }
     end
 end
 
diff --git a/test/configuration_test.rb b/test/configuration_test.rb
index 0e7e523a..eff0ddac 100644
--- a/test/configuration_test.rb
+++ b/test/configuration_test.rb
@@ -113,6 +113,16 @@ class ConfigurationTest < ActiveSupport::TestCase
     ENV["PASSWORD"] = nil
   end
 
+  test "env args with missing secret" do
+    config = Mrsk::Configuration.new(@deploy.tap { |c| c.merge!({ 
+      env: { "secret" => [ "PASSWORD" ] } 
+    }) })
+
+    assert_raises(KeyError) do
+      assert_equal [ "-e", "PASSWORD=secret123" ], config.env_args
+    end
+  end
+
   test "ssh options" do
     assert_equal "root", @config.ssh_options[:user]