diff --git a/cmd/fleet/serve.go b/cmd/fleet/serve.go
index 79429442ba..0ff5b9c1fc 100644
--- a/cmd/fleet/serve.go
+++ b/cmd/fleet/serve.go
@@ -163,6 +163,14 @@ the way that the Fleet server works.
 				}
 			}
 
+			if len([]byte(config.Server.PrivateKey)) < 32 {
+				initFatal(errors.New("private key must be at least 32 bytes long"), "validate private key")
+			}
+
+			// We truncate to 32 bytes because AES-256 requires a 32 byte (256 bit) PK, but some
+			// infra setups generate keys that are longer than 32 bytes.
+			config.Server.PrivateKey = config.Server.PrivateKey[:32]
+
 			var ds fleet.Datastore
 			var carveStore fleet.CarveStore
 			var installerStore fleet.InstallerStore
@@ -508,14 +516,6 @@ the way that the Fleet server works.
 				cancel()
 			}
 
-			if len([]byte(config.Server.PrivateKey)) < 32 {
-				initFatal(errors.New("private key must be at least 32 bytes long"), "validate private key")
-			}
-
-			// We truncate to 32 bytes because AES-256 requires a 32 byte (256 bit) PK, but some
-			// infra setups generate keys that are longer than 32 bytes.
-			config.Server.PrivateKey = config.Server.PrivateKey[:32]
-
 			appCfg, err := ds.AppConfig(context.Background())
 			if err != nil {
 				initFatal(err, "loading app config")