diff --git a/Dfe.PrepareConversions/Dfe.PrepareConversions/Utils/DataProtectionService.cs b/Dfe.PrepareConversions/Dfe.PrepareConversions/Utils/DataProtectionService.cs
index fd76c82fb..4d138a378 100644
--- a/Dfe.PrepareConversions/Dfe.PrepareConversions/Utils/DataProtectionService.cs
+++ b/Dfe.PrepareConversions/Dfe.PrepareConversions/Utils/DataProtectionService.cs
@@ -15,16 +15,15 @@ public static void AddDataProtectionService(this IServiceCollection services, IC
          var dpTargetPath = "@/srv/app/storage";
 
          if (Directory.Exists(dpTargetPath)) {
+            dp.PersistKeysToFileSystem(new DirectoryInfo(dpTargetPath));
+
             // If a Key Vault Key URI is defined, expect to encrypt the keys.xml
             string kvProtectionKeyUri = configuration.GetValue<string>("DataProtection:KeyVaultKey");
 
             if (!string.IsNullOrWhiteSpace(kvProtectionKeyUri))
             {
-               throw new InvalidOperationException("DataProtection:Path is undefined or empty");
+               dp.ProtectKeysWithAzureKeyVault(new Uri(kvProtectionKeyUri), new DefaultAzureCredential());
             }
-
-            dp.PersistKeysToFileSystem(new DirectoryInfo(dpTargetPath));
-            dp.ProtectKeysWithAzureKeyVault(new Uri(kvProtectionKeyUri), new DefaultAzureCredential());
          }
       }
    }