diff --git a/internal/config/config.go b/internal/config/config.go
index e770297..e8a33dc 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -14,6 +14,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"unicode/utf8"
 
 	"github.com/openlibrecommunity/olcrtc/internal/app/session"
 	"gopkg.in/yaml.v3"
@@ -176,6 +177,9 @@ func Load(path string) (File, error) {
 		}
 		return File{}, fmt.Errorf("read config %s: %w", path, err)
 	}
+	if !utf8.Valid(data) {
+		return File{}, fmt.Errorf("parse config %s: file is not valid UTF-8", path)
+	}
 	var f File
 	if err := yaml.Unmarshal(data, &f); err != nil {
 		return File{}, fmt.Errorf("parse config %s: %w", path, err)
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
index 926aac9..d72a978 100644
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 
 	"github.com/openlibrecommunity/olcrtc/internal/app/session"
@@ -320,3 +321,15 @@ func TestLoadMissing(t *testing.T) {
 		t.Fatal("expected error for missing file")
 	}
 }
+
+func TestLoadInvalidUTF8(t *testing.T) {
+	path := filepath.Join(t.TempDir(), "olcrtc.yaml")
+	if err := os.WriteFile(path, []byte{'m', 'o', 'd', 'e', ':', ' ', 0xff}, 0o600); err != nil {
+		t.Fatalf("write config: %v", err)
+	}
+
+	_, err := Load(path)
+	if err == nil || !strings.Contains(err.Error(), "file is not valid UTF-8") {
+		t.Fatalf("Load() error = %v, want invalid UTF-8 error", err)
+	}
+}
diff --git a/script/cnc.sh b/script/cnc.sh
index 907a36a..4f4822d 100755
--- a/script/cnc.sh
+++ b/script/cnc.sh
@@ -72,6 +72,16 @@ fi
 
 echo "[+] Using Podman"
 echo ""
+
+validate_key() {
+    case "$1" in
+        *[!0-9a-fA-F]*)
+            return 1
+            ;;
+    esac
+    [ "${#1}" -eq 64 ]
+}
+
 echo "Select auth provider:"
 echo "  1) jitsi"
 echo "  2) telemost"
@@ -158,6 +168,11 @@ if [ -z "$KEY" ]; then
     exit 1
 fi
 
+if ! validate_key "$KEY"; then
+    echo "[X] Encryption key must be 64 hex characters"
+    exit 1
+fi
+
 echo ""
 read -p "DNS server [default: 8.8.8.8:53]: " DNS_INPUT
 DNS=${DNS_INPUT:-8.8.8.8:53}
diff --git a/script/srv.sh b/script/srv.sh
index 6ffd76f..d23a43a 100755
--- a/script/srv.sh
+++ b/script/srv.sh
@@ -68,6 +68,16 @@ fi
 
 echo "[+] Using Podman"
 echo ""
+
+validate_key() {
+    case "$1" in
+        *[!0-9a-fA-F]*)
+            return 1
+            ;;
+    esac
+    [ "${#1}" -eq 64 ]
+}
+
 echo "Select carrier:"
 echo "  1) jitsi"
 echo "  2) telemost"
@@ -361,7 +371,12 @@ KEY_FILE="$HOME/.olcrtc_key"
 
 if [ -f "$KEY_FILE" ]; then
     echo "[*] Loading existing encryption key..."
-    KEY=$(cat "$KEY_FILE")
+    KEY=$(tr -d '[:space:]' < "$KEY_FILE")
+    if ! validate_key "$KEY"; then
+        echo "[X] Invalid encryption key in $KEY_FILE"
+        echo "    Remove the file to generate a new key, or replace it with 64 hex characters."
+        exit 1
+    fi
 else
     echo "[*] Generating new encryption key..."
     KEY=$(openssl rand -hex 32)