diff --git a/command/seal_migration_test.go b/command/seal_migration_test.go
index 6383630f397c..67c3d46e463a 100644
--- a/command/seal_migration_test.go
+++ b/command/seal_migration_test.go
@@ -41,6 +41,7 @@ func TestSealMigration(t *testing.T) {
 		NumCores:    1,
 	}
 
+	ctx := context.Background()
 	var keys []string
 	var rootToken string
 
@@ -111,7 +112,7 @@ func TestSealMigration(t *testing.T) {
 		newSeal := vault.NewAutoSeal(seal.NewTestSeal(logger))
 		newSeal.SetCore(core)
 		autoSeal = newSeal
-		if err := adjustCoreForSealMigration(context.Background(), core, coreConfig, newSeal, &server.Config{
+		if err := adjustCoreForSealMigration(ctx, core, coreConfig, newSeal, &server.Config{
 			Seal: &server.Seal{
 				Type: "test-auto",
 			},
@@ -159,7 +160,7 @@ func TestSealMigration(t *testing.T) {
 		client := cluster.Cores[0].Client
 		client.SetToken(rootToken)
 
-		if err := core.UnsealWithStoredKeys(context.Background()); err != nil {
+		if err := core.UnsealWithStoredKeys(ctx); err != nil {
 			t.Fatal(err)
 		}
 		resp, err := client.Sys().SealStatus()
@@ -186,7 +187,7 @@ func TestSealMigration(t *testing.T) {
 			t.Fatal(err)
 		}
 		sealAccess := core.SealAccess()
-		if err := sealAccess.VerifyRecoveryKey(context.Background(), recoveredKey); err != nil {
+		if err := sealAccess.VerifyRecoveryKey(ctx, recoveredKey); err != nil {
 			t.Fatal(err)
 		}
 
@@ -194,6 +195,11 @@ func TestSealMigration(t *testing.T) {
 		cluster.Cores = nil
 	}
 
+	// We should see stored barrier keys; after the next stanza, we shouldn't
+	if entry, err := phys.Get(ctx, vault.StoredBarrierKeysPath); err != nil || entry == nil {
+		t.Fatalf("expected nil error and non-nil entry, got error %#v and entry %#v", err, entry)
+	}
+
 	// Fifth: create an autoseal and activate migration. Verify it doesn't work
 	// if disabled isn't set.
 	{
@@ -210,11 +216,11 @@ func TestSealMigration(t *testing.T) {
 			},
 		}
 
-		if err := adjustCoreForSealMigration(context.Background(), core, coreConfig, shamirSeal, serverConf); err == nil {
+		if err := adjustCoreForSealMigration(ctx, core, coreConfig, shamirSeal, serverConf); err == nil {
 			t.Fatal("expected error since disabled isn't set true")
 		}
 		serverConf.Seal.Disabled = true
-		if err := adjustCoreForSealMigration(context.Background(), core, coreConfig, shamirSeal, serverConf); err != nil {
+		if err := adjustCoreForSealMigration(ctx, core, coreConfig, shamirSeal, serverConf); err != nil {
 			t.Fatal(err)
 		}
 
@@ -247,6 +253,10 @@ func TestSealMigration(t *testing.T) {
 		cluster.Cores = nil
 	}
 
+	if entry, err := phys.Get(ctx, vault.StoredBarrierKeysPath); err != nil || entry != nil {
+		t.Fatalf("expected nil error and nil entry, got error %#v and entry %#v", err, entry)
+	}
+
 	// Sixth: verify autoseal is off and the expected key shares work
 	{
 		coreConfig.Seal = shamirSeal
@@ -258,7 +268,7 @@ func TestSealMigration(t *testing.T) {
 		client := cluster.Cores[0].Client
 		client.SetToken(rootToken)
 
-		if err := core.UnsealWithStoredKeys(context.Background()); err != nil {
+		if err := core.UnsealWithStoredKeys(ctx); err != nil {
 			t.Fatal(err)
 		}
 		resp, err := client.Sys().SealStatus()
diff --git a/vault/core.go b/vault/core.go
index ed27f54df955..034ef3a4add1 100644
--- a/vault/core.go
+++ b/vault/core.go
@@ -953,6 +953,11 @@ func (c *Core) unsealPart(ctx context.Context, seal Seal, key []byte, useRecover
 				return nil, errwrap.Wrapf("error rekeying barrier during migration: {{err}}", err)
 			}
 
+			if err := c.barrier.Delete(ctx, StoredBarrierKeysPath); err != nil {
+				// Don't actually exit here as successful deletion isn't critical
+				c.logger.Error("error deleting stored barrier keys after migration; continuing anyways", "error", err)
+			}
+
 			masterKey = recoveryKey
 		}
 
diff --git a/vault/seal.go b/vault/seal.go
index b80288814547..08249a0aa15a 100644
--- a/vault/seal.go
+++ b/vault/seal.go
@@ -38,8 +38,8 @@ const (
 	// recoveryKeyPath is the path to the recovery key
 	recoveryKeyPath = "core/recovery-key"
 
-	// storedBarrierKeysPath is the path used for storing HSM-encrypted unseal keys
-	storedBarrierKeysPath = "core/hsm/barrier-unseal-keys"
+	// StoredBarrierKeysPath is the path used for storing HSM-encrypted unseal keys
+	StoredBarrierKeysPath = "core/hsm/barrier-unseal-keys"
 
 	// hsmStoredIVPath is the path to the initialization vector for stored keys
 	hsmStoredIVPath = "core/hsm/iv"
diff --git a/vault/seal_autoseal.go b/vault/seal_autoseal.go
index 653f36796ace..1a46d26339e7 100644
--- a/vault/seal_autoseal.go
+++ b/vault/seal_autoseal.go
@@ -99,7 +99,7 @@ func (d *autoSeal) SetStoredKeys(ctx context.Context, keys [][]byte) error {
 
 	// Store the seal configuration.
 	pe := &physical.Entry{
-		Key:   storedBarrierKeysPath,
+		Key:   StoredBarrierKeysPath,
 		Value: value,
 	}
 
@@ -113,7 +113,7 @@ func (d *autoSeal) SetStoredKeys(ctx context.Context, keys [][]byte) error {
 // GetStoredKeys retrieves the key shares by unwrapping the encrypted key using the
 // autoseal.
 func (d *autoSeal) GetStoredKeys(ctx context.Context) ([][]byte, error) {
-	pe, err := d.core.physical.Get(ctx, storedBarrierKeysPath)
+	pe, err := d.core.physical.Get(ctx, StoredBarrierKeysPath)
 	if err != nil {
 		return nil, errwrap.Wrapf("failed to fetch stored keys: {{err}}", err)
 	}