diff --git a/cmd/admin-handlers-config-kv.go b/cmd/admin-handlers-config-kv.go
index c65a13d8a..49f8a2659 100644
--- a/cmd/admin-handlers-config-kv.go
+++ b/cmd/admin-handlers-config-kv.go
@@ -183,7 +183,9 @@ func (a adminAPIHandlers) SetConfigKVHandler(w http.ResponseWriter, r *http.Requ
 	}
 
 	// Make sure to write backend is encrypted
-	saveConfig(context.Background(), objectAPI, backendEncryptedFile, backendEncryptedMigrationComplete)
+	if globalConfigEncrypted {
+		saveConfig(context.Background(), objectAPI, backendEncryptedFile, backendEncryptedMigrationComplete)
+	}
 }
 
 // GetConfigKVHandler - GET /minio/admin/v2/get-config-kv?key={key}
@@ -447,7 +449,9 @@ func (a adminAPIHandlers) SetConfigHandler(w http.ResponseWriter, r *http.Reques
 	}
 
 	// Make sure to write backend is encrypted
-	saveConfig(context.Background(), objectAPI, backendEncryptedFile, backendEncryptedMigrationComplete)
+	if globalConfigEncrypted {
+		saveConfig(context.Background(), objectAPI, backendEncryptedFile, backendEncryptedMigrationComplete)
+	}
 
 	// Reply to the client before restarting minio server.
 	writeSuccessResponseHeadersOnly(w)
diff --git a/cmd/config-encrypted.go b/cmd/config-encrypted.go
index 0d05e445b..11ebdf680 100644
--- a/cmd/config-encrypted.go
+++ b/cmd/config-encrypted.go
@@ -19,11 +19,12 @@ package cmd
 import (
 	"bytes"
 	"context"
+	"errors"
 	"os"
 	"strings"
+	"unicode/utf8"
 
 	etcd "github.com/coreos/etcd/clientv3"
-	jsoniter "github.com/json-iterator/go"
 	"github.com/minio/minio/cmd/config"
 	"github.com/minio/minio/cmd/logger"
 	"github.com/minio/minio/pkg/auth"
@@ -260,11 +261,8 @@ func migrateIAMConfigsEtcdToEncrypted(client *etcd.Client) error {
 			data = cdata
 		}
 
-		// Attempt to unmarshal JSON content
-		var dummy map[string]interface{}
-		var json = jsoniter.ConfigCompatibleWithStandardLibrary
-		if err = json.Unmarshal(data, &dummy); err != nil {
-			return err
+		if !utf8.Valid(data) {
+			return errors.New("config data not in plain-text form")
 		}
 
 		cencdata, err = madmin.EncryptData(globalActiveCred.String(), data)
@@ -335,11 +333,8 @@ func migrateConfigPrefixToEncrypted(objAPI ObjectLayer, activeCredOld auth.Crede
 				data = cdata
 			}
 
-			// Attempt to unmarshal JSON content
-			var dummy map[string]interface{}
-			var json = jsoniter.ConfigCompatibleWithStandardLibrary
-			if err = json.Unmarshal(data, &dummy); err != nil {
-				return err
+			if !utf8.Valid(data) {
+				return errors.New("config data not in plain-text form")
 			}
 
 			cencdata, err = madmin.EncryptData(globalActiveCred.String(), data)
diff --git a/cmd/logger/config.go b/cmd/logger/config.go
index 978a7dcc9..285e6dae0 100644
--- a/cmd/logger/config.go
+++ b/cmd/logger/config.go
@@ -193,7 +193,7 @@ func LookupConfig(scfg config.Config) (Config, error) {
 		if starget != config.Default {
 			authTokenEnv = EnvLoggerHTTPAuditAuthToken + config.Default + starget
 		}
-		cfg.HTTP[starget] = HTTP{
+		cfg.Audit[starget] = HTTP{
 			Enabled:   true,
 			Endpoint:  endpoint,
 			AuthToken: env.Get(authTokenEnv, kv.Get(AuthToken)),