diff --git a/lib/puppet/resource_api/transport.rb b/lib/puppet/resource_api/transport.rb
index 438333f1..2bed256e 100644
--- a/lib/puppet/resource_api/transport.rb
+++ b/lib/puppet/resource_api/transport.rb
@@ -84,7 +84,7 @@ def self.wrap_sensitive(name, connection_info)
     transport_schema = @transports[@environment][name]
     if transport_schema
       transport_schema.definition[:connection_info].each do |attr_name, options|
-        if options.key?(:sensitive) && (options[:sensitive] == true)
+        if options.key?(:sensitive) && (options[:sensitive] == true) && connection_info.key?(attr_name)
           connection_info[attr_name] = Puppet::Pops::Types::PSensitiveType::Sensitive.new(connection_info[attr_name])
         end
       end
diff --git a/spec/puppet/resource_api/transport_spec.rb b/spec/puppet/resource_api/transport_spec.rb
index ad59697d..c3547477 100644
--- a/spec/puppet/resource_api/transport_spec.rb
+++ b/spec/puppet/resource_api/transport_spec.rb
@@ -333,32 +333,33 @@ class Wibble; end
   end
 
   describe '#wrap_sensitive(name, connection_info)' do
-    context 'when the connection info contains a `Sensitive` type' do
-      let(:schema) do
-        {
-          name: 'sensitive_transport',
-          desc: 'a  secret',
-          connection_info: {
-            secret: {
-              type:      'String',
-              desc:      'A secret to protect.',
-              sensitive:  true,
-            },
+    let(:schema) do
+      {
+        name: 'sensitive_transport',
+        desc: 'a  secret',
+        connection_info: {
+          secret: {
+            type:      'String',
+            desc:      'A secret to protect.',
+            sensitive:  true,
           },
-        }
-      end
-      let(:schema_def) { instance_double('Puppet::ResourceApi::TransportSchemaDef', 'schema_def') }
+        },
+      }
+    end
+    let(:schema_def) { instance_double('Puppet::ResourceApi::TransportSchemaDef', 'schema_def') }
+
+    before(:each) do
+      allow(Puppet::ResourceApi::TransportSchemaDef).to receive(:new).with(schema).and_return(schema_def)
+      described_class.register(schema)
+    end
+
+    context 'when the connection info contains a `Sensitive` type' do
       let(:connection_info) do
         {
           secret: 'sup3r_secret_str1ng',
         }
       end
 
-      before(:each) do
-        allow(Puppet::ResourceApi::TransportSchemaDef).to receive(:new).with(schema).and_return(schema_def)
-        described_class.register(schema)
-      end
-
       it 'wraps the value in a PSensitiveType' do
         allow(schema_def).to receive(:definition).and_return(schema)
 
@@ -367,5 +368,16 @@ class Wibble; end
         expect(conn_info[:secret].unwrap).to eq('sup3r_secret_str1ng')
       end
     end
+
+    context 'when the connection info does not contain a `Sensitive` type' do
+      let(:connection_info) { {} }
+
+      it 'wraps the value in a PSensitiveType' do
+        allow(schema_def).to receive(:definition).and_return(schema)
+
+        conn_info = described_class.send :wrap_sensitive, 'sensitive_transport', connection_info
+        expect(conn_info[:secret]).to be_nil
+      end
+    end
   end
 end