diff --git a/src/cli/add_command.rs b/src/cli/add_command.rs
index 9bf6f2c..e543a4b 100644
--- a/src/cli/add_command.rs
+++ b/src/cli/add_command.rs
@@ -19,7 +19,7 @@ use clap::Args;
 use crate::{
     clap_parsers,
     utils,
-    vault::{Vault, Vaults},
+    vault::{cipher, Vault, Vaults},
     LprsCommand,
     LprsError,
     LprsResult,
@@ -64,10 +64,16 @@ impl Add {
 impl LprsCommand for Add {
     fn run(mut self, mut vault_manager: Vaults) -> LprsResult<()> {
         if !self.is_empty() {
+            if let Some(totp_secret) = utils::user_secret(self.totp_secret, "TOTP Secret:", false)?
+            {
+                cipher::base32_decode(&totp_secret).map_err(|_| {
+                    LprsError::Base32("Invalid TOTP secret, must be valid base32 string".to_owned())
+                })?;
+                self.vault_info.totp_secret = Some(totp_secret);
+            }
+
             self.vault_info.name = self.vault_info.name.trim().to_string();
             self.vault_info.password = utils::user_secret(self.password, "Vault password:", false)?;
-            self.vault_info.totp_secret =
-                utils::user_secret(self.totp_secret, "TOTP Secret:", false)?;
             self.vault_info.custom_fields = self.custom_fields.into_iter().collect();
             vault_manager.add_vault(self.vault_info);
             vault_manager.try_export()?;
diff --git a/src/cli/edit_command.rs b/src/cli/edit_command.rs
index e1606c6..8319f0a 100644
--- a/src/cli/edit_command.rs
+++ b/src/cli/edit_command.rs
@@ -16,7 +16,14 @@
 
 use clap::Args;
 
-use crate::{clap_parsers, utils, vault::Vaults, LprsCommand, LprsError, LprsResult};
+use crate::{
+    clap_parsers,
+    utils,
+    vault::{cipher, Vaults},
+    LprsCommand,
+    LprsError,
+    LprsResult,
+};
 
 #[derive(Debug, Args)]
 #[command(author, version, about, long_about = None)]
@@ -79,8 +86,11 @@ impl LprsCommand for Edit {
         if self.password.is_some() {
             vault.password = utils::user_secret(self.password, "New vault password:", false)?;
         }
-        if self.totp_secret.is_some() {
-            vault.totp_secret = utils::user_secret(self.totp_secret, "TOTP Secret:", false)?;
+        if let Some(totp_secret) = utils::user_secret(self.totp_secret, "TOTP Secret:", false)? {
+            cipher::base32_decode(&totp_secret).map_err(|_| {
+                LprsError::Base32("Invalid TOTP secret, must be valid base32 string".to_owned())
+            })?;
+            vault.totp_secret = Some(totp_secret);
         }
         if let Some(new_username) = self.username {
             vault.username = Some(new_username);