diff --git a/cmd/common-main.go b/cmd/common-main.go
index 95d93f6a1..ee30e1886 100644
--- a/cmd/common-main.go
+++ b/cmd/common-main.go
@@ -38,6 +38,7 @@ import (
 	"github.com/fatih/color"
 	dns2 "github.com/miekg/dns"
 	"github.com/minio/cli"
+	"github.com/minio/kes"
 	"github.com/minio/minio-go/v7/pkg/set"
 	"github.com/minio/minio/cmd/config"
 	xhttp "github.com/minio/minio/cmd/http"
@@ -387,15 +388,24 @@ func handleCommonEnvVars() {
 			logger.Fatal(err, fmt.Sprintf("Unable to load X.509 root CAs for KES from %q", env.Get(config.EnvKESServerCA, globalCertsCADir.Get())))
 		}
 
+		var defaultKeyID = env.Get(config.EnvKESKeyName, "")
 		KMS, err := kms.NewWithConfig(kms.Config{
 			Endpoints:    endpoints,
-			DefaultKeyID: env.Get(config.EnvKESKeyName, ""),
+			DefaultKeyID: defaultKeyID,
 			Certificate:  certificate,
 			RootCAs:      rootCAs,
 		})
 		if err != nil {
 			logger.Fatal(err, "Unable to initialize a connection to KES as specified by the shell environment")
 		}
+
+		// We check that the default key ID exists or try to create it otherwise.
+		// This implicitly checks that we can communicate to KES. We don't treat
+		// a policy error as failure condition since MinIO may not have the permission
+		// to create keys - just to generate/decrypt data encryption keys.
+		if err = KMS.CreateKey(defaultKeyID); err != nil && !errors.Is(err, kes.ErrKeyExists) && !errors.Is(err, kes.ErrNotAllowed) {
+			logger.Fatal(err, "Unable to initialize a connection to KES as specified by the shell environment")
+		}
 		GlobalKMS = KMS
 	}
 	if tiers := env.Get("_MINIO_DEBUG_REMOTE_TIERS_IMMEDIATELY", ""); tiers != "" {