diff --git a/src/chef-server-ctl/plugins/rotate_credentials.rb b/src/chef-server-ctl/plugins/rotate_credentials.rb
index 2dfdd1180a..0448fdbfe2 100644
--- a/src/chef-server-ctl/plugins/rotate_credentials.rb
+++ b/src/chef-server-ctl/plugins/rotate_credentials.rb
@@ -221,7 +221,7 @@ def backup_secrets_file(backup_file = nil)
 
 def restore_secrets_file(backup_file)
   log("Restoring #{backup_file} to #{secrets_file_path}...")
-  FileUtils.cp(secrets_file_path, backup_file)
+  FileUtils.cp(backup_file, secrets_file_path)
 end
 
 def secrets_file_path
diff --git a/src/chef-server-ctl/spec/rotate_credentials_spec.rb b/src/chef-server-ctl/spec/rotate_credentials_spec.rb
index 8dc6c735b8..901d19e853 100644
--- a/src/chef-server-ctl/spec/rotate_credentials_spec.rb
+++ b/src/chef-server-ctl/spec/rotate_credentials_spec.rb
@@ -169,6 +169,25 @@ def credentials
     end
   end
 
+  context "restore_secrets_file" do
+    it "copies the backup back over the live secrets file" do
+      allow(subject.ctl).to receive(:restore_secrets_file).and_call_original
+      allow(subject.ctl)
+        .to receive(:secrets_file_path)
+        .and_return("/etc/opscode/private-chef-secrets.json")
+
+      # The restore must copy backup -> live secrets file. Copying in the
+      # other direction would overwrite the only good backup with the
+      # (possibly broken) current secrets, making a failed rotation
+      # unrecoverable.
+      expect(FileUtils)
+        .to receive(:cp)
+        .with("/tmp/backup.json", "/etc/opscode/private-chef-secrets.json")
+
+      subject.ctl.send(:restore_secrets_file, "/tmp/backup.json")
+    end
+  end
+
   context "require_credential_rotation_pre_hook" do
     let(:credential_rotation_required_file) do
       "/tmp/var/opt/opscode/credential_rotation_required"