diff --git a/cmd/fleetctl/preview.go b/cmd/fleetctl/preview.go
index 5b61b1d62f..38d9c9e650 100644
--- a/cmd/fleetctl/preview.go
+++ b/cmd/fleetctl/preview.go
@@ -2,7 +2,9 @@ package main
 
 import (
 	"context"
+	"crypto/rand"
 	"crypto/tls"
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"io"
@@ -215,6 +217,48 @@ Use the stop and reset subcommands to manage the server and dependencies once st
 				}
 			}
 
+			generatePrivateKey := func(n int) (string, error) {
+				bytes := make([]byte, n/2)
+				if _, err := rand.Read(bytes); err != nil {
+					return "", err
+				}
+				return hex.EncodeToString(bytes)[:n], nil
+			}
+
+			// Create a random private key for MDM asset encryption and save it to the filesystem
+			// for use in subsequent runs. If one already exists, use that one.
+			var pk string
+			pkFilename := filepath.Join(previewDir, ".private_key")
+			_, err = os.Stat(pkFilename)
+			if err != nil {
+				if errors.Is(err, os.ErrNotExist) {
+					pk, err := generatePrivateKey(32) // use AES-256
+					if err != nil {
+						return fmt.Errorf("generating private key: %w", err)
+					}
+
+					if err := os.WriteFile(filepath.Join(previewDir, ".private_key"), []byte(pk), os.ModeAppend); err != nil {
+						return fmt.Errorf("writing private key file: %w", err)
+					}
+
+				}
+
+				return fmt.Errorf("stat private key file: %w", err)
+			}
+
+			if len(pk) == 0 {
+				filePK, err := os.ReadFile(pkFilename)
+				if err != nil {
+					return fmt.Errorf("reading private key file: %w", err)
+				}
+
+				pk = string(filePK)
+			}
+
+			if err := os.Setenv("FLEET_SERVER_PRIVATE_KEY", pk); err != nil {
+				return fmt.Errorf("failed to set private key: %w", err)
+			}
+
 			if err := os.Setenv("FLEET_VERSION", c.String(tagFlagName)); err != nil {
 				return fmt.Errorf("failed to set Fleet version: %w", err)
 			}