diff --git a/src/NServiceBus.AcceptanceTests/Encryption/When_using_encryption_with_custom_service.cs b/src/NServiceBus.AcceptanceTests/Encryption/When_using_encryption_with_custom_service.cs
new file mode 100644
index 00000000000..136bbd5f1e0
--- /dev/null
+++ b/src/NServiceBus.AcceptanceTests/Encryption/When_using_encryption_with_custom_service.cs
@@ -0,0 +1,75 @@
+namespace NServiceBus.AcceptanceTests.Encryption
+{
+    using System.Linq;
+    using NServiceBus.Encryption;
+    using System;
+    using EndpointTemplates;
+    using AcceptanceTesting;
+    using NUnit.Framework;
+    using ScenarioDescriptors;
+
+    public class When_using_encryption_with_custom_service : NServiceBusAcceptanceTest
+    {
+        [Test]
+        public void Should_receive_decrypted_message()
+        {
+            Scenario.Define<Context>()
+                    .WithEndpoint<Endpoint>(b => b.Given((bus, context) => bus.SendLocal(new MessageWithSecretData
+                        {
+                            Secret = "betcha can't guess my secret"
+                        })))
+                    .Done(c => c.Done)
+                    .Repeat(r => r.For<AllSerializers>())
+                    .Should(c => Assert.AreEqual("betcha can't guess my secret", c.Secret))
+                    .Run();
+        }
+
+        public class Context : ScenarioContext
+        {
+            public bool Done { get; set; }
+            public string Secret { get; set; }
+        }
+        
+        public class Endpoint : EndpointConfigurationBuilder
+        {
+            public Endpoint()
+            {
+                EndpointSetup<DefaultServer>(c => c.Configurer.RegisterSingleton<IEncryptionService>(new MyEncryptionService()));
+            }
+
+            public class Handler : IHandleMessages<MessageWithSecretData>
+            {
+                public Context Context { get; set; }
+
+                public void Handle(MessageWithSecretData message)
+                {
+                    Context.Secret = message.Secret.Value;
+                    Context.Done = true;
+                }
+            }
+        }
+
+        [Serializable]
+        public class MessageWithSecretData : IMessage
+        {
+            public WireEncryptedString Secret { get; set; }
+        }
+
+
+        public class MyEncryptionService : IEncryptionService
+        {
+            public EncryptedValue Encrypt(string value)
+            {
+                return new EncryptedValue
+                {
+                    EncryptedBase64Value = new string(value.Reverse().ToArray())
+                };
+            }
+
+            public string Decrypt(EncryptedValue encryptedValue)
+            {
+                return new string(encryptedValue.EncryptedBase64Value.Reverse().ToArray());
+            }
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/NServiceBus.AcceptanceTests/Encryption/When_using_encryption_with_multikey.cs b/src/NServiceBus.AcceptanceTests/Encryption/When_using_encryption_with_multikey.cs
new file mode 100644
index 00000000000..60dbf90ce99
--- /dev/null
+++ b/src/NServiceBus.AcceptanceTests/Encryption/When_using_encryption_with_multikey.cs
@@ -0,0 +1,110 @@
+namespace NServiceBus.AcceptanceTests.Encryption
+{
+    using System;
+    using Config;
+    using Config.ConfigurationSource;
+    using EndpointTemplates;
+    using AcceptanceTesting;
+    using NUnit.Framework;
+    using ScenarioDescriptors;
+
+    public class When_using_encryption_with_multikey : NServiceBusAcceptanceTest
+    {
+        [Test]
+        public void Should_receive_decrypted_message()
+        {
+            Scenario.Define<Context>()
+                    .WithEndpoint<Sender>(b => b.Given((bus, context) => bus.Send(new MessageWithSecretData
+                        {
+                            Secret = "betcha can't guess my secret",
+                        })))
+                    .WithEndpoint<Receiver>()
+                    .Done(c => c.Done)
+                    .Repeat(r => r.For<AllSerializers>())
+                    .Should(c => Assert.AreEqual("betcha can't guess my secret", c.Secret))
+                    .Run();
+        }
+
+        public class Context : ScenarioContext
+        {
+            public bool Done { get; set; }
+
+            public string Secret { get; set; }
+        }
+
+        public class Sender : EndpointConfigurationBuilder
+        {
+            public Sender()
+            {
+                EndpointSetup<DefaultServer>(c => c.RijndaelEncryptionService())
+                    .AddMapping<MessageWithSecretData>(typeof(Receiver));
+            }
+
+            public class Handler : IHandleMessages<MessageWithSecretData>
+            {
+                public Context Context { get; set; }
+
+                public void Handle(MessageWithSecretData message)
+                {
+                    Context.Secret = message.Secret.Value;
+                    Context.Done = true;
+                }
+            }
+
+            public class ConfigureEncryption : IProvideConfiguration<RijndaelEncryptionServiceConfig>
+            {
+                public RijndaelEncryptionServiceConfig GetConfiguration()
+                {
+                    return new RijndaelEncryptionServiceConfig
+                    {
+                        Key = "gdDbqRpqdRbTs3mhdZh9qCaDaxJXl+e6"
+                    };
+                }
+            }
+        }
+
+        public class Receiver : EndpointConfigurationBuilder
+        {
+            public Receiver()
+            {
+                EndpointSetup<DefaultServer>(c => c.RijndaelEncryptionService());
+            }
+
+            public class Handler : IHandleMessages<MessageWithSecretData>
+            {
+                public Context Context { get; set; }
+
+                public void Handle(MessageWithSecretData message)
+                {
+                    Context.Secret = message.Secret.Value;
+                    Context.Done = true;
+                }
+            }
+
+            public class ConfigureEncryption : IProvideConfiguration<RijndaelEncryptionServiceConfig>
+            {
+                public RijndaelEncryptionServiceConfig GetConfiguration()
+                {
+                    return new RijndaelEncryptionServiceConfig
+                    {
+                        Key = "adDbqRpqdRbTs3mhdZh9qCaDaxJXl+e6",
+                        ExpiredKeys = new RijndaelExpiredKeyCollection
+                        {
+                            new RijndaelExpiredKey
+                            {
+                                Key = "gdDbqRpqdRbTs3mhdZh9qCaDaxJXl+e6"
+                            }
+                        }
+                    };
+                }
+            }
+        }
+
+        [Serializable]
+        public class MessageWithSecretData : IMessage
+        {
+            public WireEncryptedString Secret { get; set; }
+        }
+
+    }
+}
\ No newline at end of file
diff --git a/src/NServiceBus.AcceptanceTests/NServiceBus.AcceptanceTests.csproj b/src/NServiceBus.AcceptanceTests/NServiceBus.AcceptanceTests.csproj
index ce50b3e1ac0..e8164a91dac 100644
--- a/src/NServiceBus.AcceptanceTests/NServiceBus.AcceptanceTests.csproj
+++ b/src/NServiceBus.AcceptanceTests/NServiceBus.AcceptanceTests.csproj
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="4.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
   <PropertyGroup>
@@ -115,6 +115,8 @@
     <Compile Include="BusStartStop\When_bus_start_and_stops_with_a_pending_message.cs" />
     <Compile Include="Configuration\When_a_config_override_is_found.cs" />
     <Compile Include="Encryption\When_using_encryption.cs" />
+    <Compile Include="Encryption\When_using_encryption_with_custom_service.cs" />
+    <Compile Include="Encryption\When_using_encryption_with_multikey.cs" />
     <Compile Include="EndpointTemplates\BusExtensions.cs" />
     <Compile Include="Gateway\When_sending_a_message_via_the_gateway.cs" />
     <Compile Include="Gateway\When_doing_request_response_between_sites.cs" />
diff --git a/src/NServiceBus.Core.Tests/Encryption/ConfigureRijndaelEncryptionServiceTests.cs b/src/NServiceBus.Core.Tests/Encryption/ConfigureRijndaelEncryptionServiceTests.cs
new file mode 100644
index 00000000000..2350c0009d9
--- /dev/null
+++ b/src/NServiceBus.Core.Tests/Encryption/ConfigureRijndaelEncryptionServiceTests.cs
@@ -0,0 +1,140 @@
+namespace NServiceBus.Core.Tests.Encryption
+{
+    using System;
+    using System.Configuration;
+    using System.IO;
+    using System.Linq;
+    using NServiceBus.Config;
+    using NUnit.Framework;
+
+    [TestFixture]
+    public class ConfigureRijndaelEncryptionServiceTests
+    {
+
+        [Test]
+        public void Can_read_from_xml()
+        {
+            var xml =
+@"<?xml version='1.0' encoding='utf-8' standalone='yes'?>
+<configuration>
+    <configSections>
+        <section 
+            name='RijndaelEncryptionServiceConfig' 
+            type='NServiceBus.Config.RijndaelEncryptionServiceConfig, NServiceBus.Core'/>
+</configSections>
+<RijndaelEncryptionServiceConfig Key='key1'>
+  <ExpiredKeys>
+    <add Key='key2' />
+    <add Key='key3' />
+  </ExpiredKeys>
+</RijndaelEncryptionServiceConfig>
+</configuration>";
+
+            var section = ReadSectionFromText<RijndaelEncryptionServiceConfig>(xml);
+            var keys = section.ExpiredKeys.Cast<RijndaelExpiredKey>()
+                .Select(x=>x.Key)
+                .ToList();
+            Assert.AreEqual("key1", section.Key);
+            Assert.AreEqual(2,keys.Count);
+            Assert.Contains("key2",keys);
+            Assert.Contains("key3",keys);
+        }
+
+        static T ReadSectionFromText<T>(string s) where T: ConfigurationSection
+        {
+            var xml = s.Replace("'", "\"");
+            var tempPath = Path.GetTempFileName();
+            try
+            {
+                File.WriteAllText(tempPath, xml);
+
+                var fileMap = new ExeConfigurationFileMap
+                {
+                    ExeConfigFilename = tempPath
+                };
+
+                var configuration = ConfigurationManager.OpenMappedExeConfiguration(fileMap, ConfigurationUserLevel.None);
+                return (T) configuration.GetSection(typeof(T).Name);
+            }
+            finally
+            {
+                if (File.Exists(tempPath))
+                {
+                    File.Delete(tempPath);
+                }
+            }
+        }
+
+        [Test]
+        public void Should_throw_for_whitespace_keys_in_config()
+        {
+            var config = new RijndaelEncryptionServiceConfig
+            {
+                ExpiredKeys = new RijndaelExpiredKeyCollection
+                {
+                    new RijndaelExpiredKey
+                    {
+                        Key = " "
+                    }
+                }
+            };
+            var exception = Assert.Throws<Exception>(() => ConfigureRijndaelEncryptionService.ExtractExpiredKeysFromConfigSection(config));
+            Assert.AreEqual("The RijndaelEncryptionServiceConfig has a 'ExpiredKeys' property defined however some keys have no data.", exception.Message);
+        }
+
+        [Test]
+        public void Should_throw_for_null_keys_in_config()
+        {
+            var config = new RijndaelEncryptionServiceConfig
+            {
+                ExpiredKeys = new RijndaelExpiredKeyCollection
+                {
+                    new RijndaelExpiredKey()
+                }
+            };
+            var exception = Assert.Throws<Exception>(() => ConfigureRijndaelEncryptionService.ExtractExpiredKeysFromConfigSection(config));
+            Assert.AreEqual("The RijndaelEncryptionServiceConfig has a 'ExpiredKeys' property defined however some keys have no data.", exception.Message);
+        }
+
+        [Test]
+        public void Should_for_duplicate_between_key_and_keys_in_config()
+        {
+            var config = new RijndaelEncryptionServiceConfig
+            {
+                Key = "a",
+                ExpiredKeys = new RijndaelExpiredKeyCollection
+                {
+                    new RijndaelExpiredKey
+                    {
+                        Key = "a"
+                    }
+                }
+            };
+            var exception = Assert.Throws<Exception>(() => ConfigureRijndaelEncryptionService.ExtractExpiredKeysFromConfigSection(config));
+            Assert.AreEqual("The RijndaelEncryptionServiceConfig has a 'Key' that is also defined inside the 'ExpiredKeys'.", exception.Message);
+        }
+
+        [Test]
+        public void Duplicates_should_be_skipped()
+        {
+            var config = new RijndaelEncryptionServiceConfig
+            {
+                ExpiredKeys = new RijndaelExpiredKeyCollection
+                {
+                    new RijndaelExpiredKey
+                    {
+                        Key = "a"
+                    },
+                    new RijndaelExpiredKey
+                    {
+                        Key = "a"
+                    }
+                }
+            };
+            var keys = ConfigureRijndaelEncryptionService.ExtractExpiredKeysFromConfigSection(config);
+
+            Assert.That(new[]{"a"}, Is.EquivalentTo(keys));
+        }
+    }
+
+}
\ No newline at end of file
diff --git a/src/NServiceBus.Core.Tests/Encryption/EncryptionServiceTests.cs b/src/NServiceBus.Core.Tests/Encryption/EncryptionServiceTests.cs
new file mode 100644
index 00000000000..f9648b250d2
--- /dev/null
+++ b/src/NServiceBus.Core.Tests/Encryption/EncryptionServiceTests.cs
@@ -0,0 +1,94 @@
+namespace NServiceBus.Core.Tests.Encryption
+{
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Security.Cryptography;
+    using System.Text;
+    using NServiceBus.Encryption;
+    using NServiceBus.Encryption.Rijndael;
+    using NUnit.Framework;
+
+    [TestFixture]
+    public class EncryptionServiceTests
+    {
+        [Test]
+        public void Should_encrypt_and_decrypt()
+        {
+            var service = (IEncryptionService)new EncryptionService
+            {
+                Key = Encoding.ASCII.GetBytes("gdDbqRpqdRbTs3mhdZh9qCaDaxJXl+e6")
+            };
+            var encryptedValue = service.Encrypt("string to encrypt");
+            Assert.AreNotEqual("string to encrypt", encryptedValue.EncryptedBase64Value);
+            var decryptedValue = service.Decrypt(encryptedValue);
+            Assert.AreEqual("string to encrypt", decryptedValue);
+        }
+
+        [Test]
+        public void Should_encrypt_and_decrypt_for_expired_key()
+        {
+            var service1 = (IEncryptionService)new EncryptionService
+            {
+                Key = Encoding.ASCII.GetBytes("gdDbqRpqdRbTs3mhdZh9qCaDaxJXl+e6"),
+            };
+            var encryptedValue = service1.Encrypt("string to encrypt");
+            Assert.AreNotEqual("string to encrypt", encryptedValue.EncryptedBase64Value);
+
+
+            var service2 = (IEncryptionService)new EncryptionService
+            {
+                Key = Encoding.ASCII.GetBytes("adDbqRpqdRbTs3mhdZh9qCaDaxJXl+e6"),
+                ExpiredKeys = new List<byte[]>
+                {
+                    Encoding.ASCII.GetBytes("gdDbqRpqdRbTs3mhdZh9qCaDaxJXl+e6")
+                }
+            };
+
+            var decryptedValue = service2.Decrypt(encryptedValue);
+            Assert.AreEqual("string to encrypt", decryptedValue);
+        }
+
+        [Test]
+        public void Should_throw_when_decrypt_with_wrong_key()
+        {
+            var service1 = (IEncryptionService)new EncryptionService
+            {
+                Key = Encoding.ASCII.GetBytes("gdDbqRpqdRbTs3mhdZh9qCaDaxJXl+e6"),
+            };
+            var encryptedValue = service1.Encrypt("string to encrypt");
+            Assert.AreNotEqual("string to encrypt", encryptedValue.EncryptedBase64Value);
+
+            var invalidKey = "adDbqRpqdRbTs3mhdZh9qCaDaxJXl+e6";
+            var invalidExpiredKeys = new List<string> { "bdDbqRpqdRbTs3mhdZh9qCaDaxJXl+e6" };
+
+            var service2 = (IEncryptionService)new EncryptionService
+            {
+                Key = Encoding.ASCII.GetBytes(invalidKey),
+                ExpiredKeys = invalidExpiredKeys.Select(s => Encoding.ASCII.GetBytes(s)).ToList()
+            };
+
+            var exception = Assert.Throws<AggregateException>(() => service2.Decrypt(encryptedValue));
+            Assert.AreEqual("Could not decrypt message. Tried 2 keys.", exception.Message);
+            Assert.AreEqual(2, exception.InnerExceptions.Count);
+            foreach (var inner in exception.InnerExceptions)
+            {
+                Assert.IsInstanceOf<CryptographicException>(inner);
+            }
+        }
+
+        [Test]
+        public void Should_throw_when_encrypt_and_decrypt_keys_are_too_similar()
+        {
+            var key = Encoding.ASCII.GetBytes("gdDbqRpqdRbTs3mhdZh9qCaDaxJXl+e6");
+            var service = new EncryptionService
+            {
+                Key = key,
+                ExpiredKeys = new List<byte[]> { key } //note that we use the same key to get the code to throw
+            };
+            var exception = Assert.Throws<Exception>(service.VerifyKeysAreNotTooSimilar);
+
+            Assert.AreEqual("The new Encryption Key is too similar to the Expired Key at index 0. This can cause issues when decrypting data. To fix this issue please ensure the new encryption key is not too similar to the existing Expired Keys.", exception.Message);
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/NServiceBus.Core.Tests/NServiceBus.Core.Tests.csproj b/src/NServiceBus.Core.Tests/NServiceBus.Core.Tests.csproj
index ca8306809c8..625bd7f6920 100644
--- a/src/NServiceBus.Core.Tests/NServiceBus.Core.Tests.csproj
+++ b/src/NServiceBus.Core.Tests/NServiceBus.Core.Tests.csproj
@@ -136,11 +136,13 @@
     <Compile Include="DataBus\When_applying_the_databus_message_mutator_to_null_properties.cs" />
     <Compile Include="DataBus\When_applying_the_databus_message_mutator_to_outgoing_messages.cs" />
     <Compile Include="DataBus\When_nservicebus_is_initalizing.cs" />
+    <Compile Include="Encryption\ConfigureRijndaelEncryptionServiceTests.cs" />
     <Compile Include="Encryption\ConventionBasedEncryptedStringSpecs.cs" />
     <Compile Include="Encryption\FakeEncryptionService.cs" />
     <Compile Include="Encryption\Issue_701.cs" />
     <Compile Include="Encryption\Issue_949.cs" />
     <Compile Include="Encryption\Mailing_list_complex_dto.cs" />
+    <Compile Include="Encryption\EncryptionServiceTests.cs" />
     <Compile Include="Encryption\WireEncryptedStringSpecs.cs" />
     <Compile Include="Fakes\FakeBus.cs" />
     <Compile Include="Fakes\FakeTransport.cs" />
diff --git a/src/NServiceBus.Core/Config/RijndaelEncryptionServiceConfig.cs b/src/NServiceBus.Core/Config/RijndaelEncryptionServiceConfig.cs
index ace203d982e..fcf67ecd3e7 100644
--- a/src/NServiceBus.Core/Config/RijndaelEncryptionServiceConfig.cs
+++ b/src/NServiceBus.Core/Config/RijndaelEncryptionServiceConfig.cs
@@ -19,5 +19,20 @@ public string Key
                 this["Key"] = value;
             }
         }
+        /// <summary>
+        /// Contains the expired decryptions that are currently being phased out.
+        /// </summary>
+        [ConfigurationProperty("ExpiredKeys", IsRequired = false)]
+        public RijndaelExpiredKeyCollection ExpiredKeys
+        {
+            get
+            {
+                return this["ExpiredKeys"] as RijndaelExpiredKeyCollection;
+            }
+            set
+            {
+                this["ExpiredKeys"] = value;
+            }
+        }
     }
 }
diff --git a/src/NServiceBus.Core/Config/RijndaelExpiredKey.cs b/src/NServiceBus.Core/Config/RijndaelExpiredKey.cs
new file mode 100644
index 00000000000..1274b1029b8
--- /dev/null
+++ b/src/NServiceBus.Core/Config/RijndaelExpiredKey.cs
@@ -0,0 +1,35 @@
+namespace NServiceBus.Config
+{
+    using System;
+    using System.Configuration;
+
+    /// <summary>
+    /// A configuration element representing a Rijndael encryption key.
+    /// </summary>
+    public class RijndaelExpiredKey : ConfigurationElement, IComparable<RijndaelExpiredKey>
+    {
+
+        /// <summary>
+        /// The keys value.
+        /// </summary>
+        [ConfigurationProperty("Key", IsRequired = true)]
+        public string Key
+        {
+            get
+            {
+                return (string)this["Key"];
+            }
+            set
+            {
+                this["Key"] = value;
+            }
+        }
+
+
+        int IComparable<RijndaelExpiredKey>.CompareTo(RijndaelExpiredKey other)
+        {
+            return String.Compare(Key, other.Key, StringComparison.Ordinal);
+        }
+
+    }
+}
\ No newline at end of file
diff --git a/src/NServiceBus.Core/Config/RijndaelExpiredKeyCollection.cs b/src/NServiceBus.Core/Config/RijndaelExpiredKeyCollection.cs
new file mode 100644
index 00000000000..352b1eb788e
--- /dev/null
+++ b/src/NServiceBus.Core/Config/RijndaelExpiredKeyCollection.cs
@@ -0,0 +1,148 @@
+namespace NServiceBus.Config
+{
+    using System;
+    using System.Configuration;
+
+    /// <summary>
+    /// A configuration element collection of <see cref="RijndaelExpiredKey"/>s.
+    /// </summary>
+    public class RijndaelExpiredKeyCollection : ConfigurationElementCollection
+    {
+        /// <summary>
+        /// Returns AddRemoveClearMap.
+        /// </summary>
+        public override ConfigurationElementCollectionType CollectionType
+        {
+            get
+            {
+                return ConfigurationElementCollectionType.AddRemoveClearMap;
+            }
+        }
+
+        /// <summary>
+        /// Creates a new <see cref="RijndaelExpiredKey"/>.
+        /// </summary>
+        protected override ConfigurationElement CreateNewElement()
+        {
+            return new RijndaelExpiredKey();
+        }
+
+        /// <summary>
+        /// Creates a new <see cref="RijndaelExpiredKey"/>, setting its <see cref="RijndaelExpiredKey.Key"/> property to the given value.
+        /// </summary>
+        protected override ConfigurationElement CreateNewElement(string elementName)
+        {
+            return new RijndaelExpiredKey
+            {
+                Key = elementName
+            };
+        }
+
+        /// <summary>
+        /// Returns the Messages property of the given <see cref="RijndaelExpiredKey"/> element.
+        /// </summary>
+        protected override Object GetElementKey(ConfigurationElement element)
+        {
+            var encryptionKey = (RijndaelExpiredKey)element;
+
+            return encryptionKey.Key;
+        }
+
+        /// <summary>
+        /// Gets/sets the <see cref="RijndaelExpiredKey"/> at the given index.
+        /// </summary>
+        public RijndaelExpiredKey this[int index]
+        {
+            get
+            {
+                return (RijndaelExpiredKey)BaseGet(index);
+            }
+            set
+            {
+                if (BaseGet(index) != null)
+                {
+                    BaseRemoveAt(index);
+                }
+                BaseAdd(index, value);
+            }
+        }
+
+        /// <summary>
+        /// Gets the <see cref="RijndaelExpiredKey"/> for the given key.
+        /// </summary>
+        new public RijndaelExpiredKey this[string key]
+        {
+            get
+            {
+                return (RijndaelExpiredKey)BaseGet(key);
+            }
+        }
+
+        /// <summary>
+        /// Calls BaseIndexOf on the given <see cref="RijndaelExpiredKey"/>.
+        /// </summary>
+        public int IndexOf(RijndaelExpiredKey encryptionKey)
+        {
+            return BaseIndexOf(encryptionKey);
+        }
+
+        /// <summary>
+        /// Calls BaseAdd.
+        /// </summary>
+        public void Add(RijndaelExpiredKey encryptionKey)
+        {
+            BaseAdd(encryptionKey);
+        }
+
+        /// <summary>
+        /// Calls BaseAdd with true as the additional parameter.
+        /// </summary>
+        protected override void BaseAdd(ConfigurationElement element)
+        {
+            BaseAdd(element, true);
+        }
+
+        /// <summary>
+        /// If the key exists, calls BaseRemove on it.
+        /// </summary>
+        public void Remove(RijndaelExpiredKey encryptionKey)
+        {
+            if (BaseIndexOf(encryptionKey) >= 0)
+            {
+                BaseRemove(encryptionKey.Key);
+            }
+        }
+
+        /// <summary>
+        /// Calls BaseRemoveAt.
+        /// </summary>
+        public void RemoveAt(int index)
+        {
+            BaseRemoveAt(index);
+        }
+
+        /// <summary>
+        /// Calls BaseRemove.
+        /// </summary>
+        public void Remove(string name)
+        {
+            BaseRemove(name);
+        }
+
+        /// <summary>
+        /// Calls BaseClear.
+        /// </summary>
+        public void Clear()
+        {
+            BaseClear();
+        }
+
+        /// <summary>
+        /// True if the collection is readonly
+        /// </summary>
+        public override bool IsReadOnly()
+        {
+            return false;
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/NServiceBus.Core/ConfigureRijndaelEncryptionService.cs b/src/NServiceBus.Core/ConfigureRijndaelEncryptionService.cs
index 6ba9beb7477..bcfb0bd6884 100644
--- a/src/NServiceBus.Core/ConfigureRijndaelEncryptionService.cs
+++ b/src/NServiceBus.Core/ConfigureRijndaelEncryptionService.cs
@@ -1,7 +1,11 @@
 namespace NServiceBus
 {
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
     using System.Text;
     using Config;
+    using Encryption;
     using Encryption.Rijndael;
     using Logging;
 
@@ -22,14 +26,52 @@ public static Configure RijndaelEncryptionService(this Configure config)
             if (section == null)
                 Logger.Warn("Could not find configuration section for Rijndael Encryption Service.");
 
-            var encryptConfig = config.Configurer.ConfigureComponent<EncryptionService>(DependencyLifecycle.SingleInstance);
+            var encryptionService = new EncryptionService();
 
             if (section != null)
-                encryptConfig.ConfigureProperty(s => s.Key, Encoding.ASCII.GetBytes(section.Key));
+            {
+                if (string.IsNullOrWhiteSpace(section.Key))
+                {
+                    throw new Exception("The RijndaelEncryptionServiceConfig has an empty 'Key' attribute.");
+                }
+                var expiredKeys = ExtractExpiredKeysFromConfigSection(section);
+
+                encryptionService.Key = Encoding.ASCII.GetBytes(section.Key);
+                encryptionService.ExpiredKeys = expiredKeys.Select(x => Encoding.ASCII.GetBytes(x)).ToList();
+            }
+
+            encryptionService.VerifyKeysAreNotTooSimilar();
+
+            config.Configurer.RegisterSingleton<IEncryptionService>(encryptionService);
 
             return config;
         }
 
+        internal static List<string> ExtractExpiredKeysFromConfigSection(RijndaelEncryptionServiceConfig section)
+        {
+            if (section.ExpiredKeys == null)
+            {
+                return new List<string>();
+            }
+            var encryptionKeys = section.ExpiredKeys
+                .Cast<RijndaelExpiredKey>()
+                .Select(x => x.Key)
+                .ToList();
+            if (encryptionKeys.Any(string.IsNullOrWhiteSpace))
+            {
+                throw new Exception("The RijndaelEncryptionServiceConfig has a 'ExpiredKeys' property defined however some keys have no data.");
+            }
+            if (encryptionKeys.Any(x => x == section.Key))
+            {
+                throw new Exception("The RijndaelEncryptionServiceConfig has a 'Key' that is also defined inside the 'ExpiredKeys'.");
+            }
+
+            if (encryptionKeys.Count != encryptionKeys.Distinct().Count())
+            {
+                throw new Exception("The RijndaelEncryptionServiceConfig has overlapping ExpiredKeys defined. Please ensure that no keys overlap in the 'ExpiredKeys' property.");
+            }
+            return encryptionKeys;
+        }
         private static readonly ILog Logger = LogManager.GetLogger(typeof(RijndaelEncryptionServiceConfig));
     }
-}
+}
\ No newline at end of file
diff --git a/src/NServiceBus.Core/Encryption/Rijndael/EncryptionService.cs b/src/NServiceBus.Core/Encryption/Rijndael/EncryptionService.cs
index 6059f98269a..9d12dbcf32e 100644
--- a/src/NServiceBus.Core/Encryption/Rijndael/EncryptionService.cs
+++ b/src/NServiceBus.Core/Encryption/Rijndael/EncryptionService.cs
@@ -1,6 +1,7 @@
 namespace NServiceBus.Encryption.Rijndael
 {
     using System;
+    using System.Collections.Generic;
     using System.IO;
     using System.Security.Cryptography;
     using Logging;
@@ -17,6 +18,11 @@ public class EncryptionService : IEncryptionService
         /// </summary>
         public byte[] Key { get; set; }
 
+        /// <summary>
+        /// Expired keys that are being phased out but still used for decryption
+        /// </summary>
+        public List<byte[]> ExpiredKeys { get; set; }
+
         string IEncryptionService.Decrypt(EncryptedValue encryptedValue)
         {
             if (Key == null)
@@ -25,13 +31,36 @@ string IEncryptionService.Decrypt(EncryptedValue encryptedValue)
                 return encryptedValue.EncryptedBase64Value;
             }
 
-            var encrypted = Convert.FromBase64String(encryptedValue.EncryptedBase64Value);
+            var decryptionKeys = new List<byte[]> { Key };
+            if (ExpiredKeys != null)
+            {
+                decryptionKeys.AddRange(ExpiredKeys);
+            }
+            var cryptographicExceptions = new List<CryptographicException>();
+
+            foreach (var key in decryptionKeys)
+            {
+                try
+                {
+                    return Decrypt(encryptedValue, key);
+                }
+                catch (CryptographicException exception)
+                {
+                    cryptographicExceptions.Add(exception);
+                }
+            }
+            var message = string.Format("Could not decrypt message. Tried {0} keys.", decryptionKeys.Count);
+            throw new AggregateException(message, cryptographicExceptions);
+        }
+
+        static string Decrypt(EncryptedValue encryptedValue, byte[] key)
+        {
             using (var rijndael = new RijndaelManaged())
             {
-                rijndael.Key = Key;
+                var encrypted = Convert.FromBase64String(encryptedValue.EncryptedBase64Value);
                 rijndael.IV = Convert.FromBase64String(encryptedValue.Base64Iv);
                 rijndael.Mode = CipherMode.CBC;
-
+                rijndael.Key = key;
                 using (var decryptor = rijndael.CreateDecryptor())
                 using (var memoryStream = new MemoryStream(encrypted))
                 using (var cryptoStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read))
@@ -71,6 +100,29 @@ EncryptedValue IEncryptionService.Encrypt(string value)
             }
         }
 
-        private static readonly ILog Logger = LogManager.GetLogger(typeof (EncryptionService));
+        internal void VerifyKeysAreNotTooSimilar()
+        {
+            for (var index = 0; index < ExpiredKeys.Count; index++)
+            {
+                var decryption = ExpiredKeys[index];
+                CryptographicException exception = null;
+                var encryptedValue = ((IEncryptionService)this).Encrypt("a");
+                try
+                {
+                    Decrypt(encryptedValue, decryption);
+                }
+                catch (CryptographicException cryptographicException)
+                {
+                    exception = cryptographicException;
+                }
+                if (exception == null)
+                {
+                    var message = string.Format("The new Encryption Key is too similar to the Expired Key at index {0}. This can cause issues when decrypting data. To fix this issue please ensure the new encryption key is not too similar to the existing Expired Keys.", index);
+                    throw new Exception(message);
+                }
+            }
+        }
+
+        static readonly ILog Logger = LogManager.GetLogger(typeof(EncryptionService));
     }
-}
+}
\ No newline at end of file
diff --git a/src/NServiceBus.Core/NServiceBus.Core.csproj b/src/NServiceBus.Core/NServiceBus.Core.csproj
index 4cea400476f..562bab321d2 100644
--- a/src/NServiceBus.Core/NServiceBus.Core.csproj
+++ b/src/NServiceBus.Core/NServiceBus.Core.csproj
@@ -103,6 +103,8 @@
     <Compile Include="Hosting\Helpers\SkippedFile.cs" />
     <Compile Include="Installation\GatewayHttpListenerInstaller.cs" />
     <Compile Include="Installation\ElevateChecker.cs" />
+    <Compile Include="Config\RijndaelExpiredKey.cs" />
+    <Compile Include="Config\RijndaelExpiredKeyCollection.cs" />
     <Compile Include="Persistence\Raven\RavenUserInstaller.cs" />
     <Compile Include="Installation\PerformanceMonitorUsersInstaller.cs" />
     <Compile Include="Gateway\GatewayExtensions.cs" />