diff --git a/dek-registry/src/main/java/io/confluent/dekregistry/storage/DekRegistry.java b/dek-registry/src/main/java/io/confluent/dekregistry/storage/DekRegistry.java
index 2aef510fb14..2290978eea2 100644
--- a/dek-registry/src/main/java/io/confluent/dekregistry/storage/DekRegistry.java
+++ b/dek-registry/src/main/java/io/confluent/dekregistry/storage/DekRegistry.java
@@ -427,6 +427,8 @@ private KeyEncryptionKey createKek(CreateKekRequest request)
     KeyEncryptionKey key = new KeyEncryptionKey(request.getName(), kmsType,
         request.getKmsKeyId(), kmsProps, request.getDoc(), request.isShared(), false);
     keys.put(keyId, key);
+    // Retrieve key with ts set
+    key = (KeyEncryptionKey) keys.get(keyId);
     return key;
   }
 
@@ -516,6 +518,8 @@ private DataEncryptionKey createDek(String kekName, CreateDekRequest request)
       }
     }
     keys.put(keyId, key);
+    // Retrieve key with ts set
+    key = (DataEncryptionKey) keys.get(keyId);
     if (kek.isShared()) {
       key = generateRawDek(kek, key);
     }
@@ -551,10 +555,11 @@ protected DataEncryptionKey generateRawDek(KeyEncryptionKey kek, DataEncryptionK
       String rawDekStr =
           new String(Base64.getEncoder().encode(rawDek), StandardCharsets.UTF_8);
       // Copy dek
-      key = new DataEncryptionKey(key.getKekName(), key.getSubject(), key.getVersion(),
-          key.getAlgorithm(), key.getEncryptedKeyMaterial(), key.isDeleted());
-      key.setKeyMaterial(rawDekStr);
-      return key;
+      DataEncryptionKey newKey = new DataEncryptionKey(key.getKekName(), key.getSubject(),
+          key.getVersion(), key.getAlgorithm(), key.getEncryptedKeyMaterial(), key.isDeleted());
+      newKey.setKeyMaterial(rawDekStr);
+      newKey.setTimestamp(key.getTimestamp());
+      return newKey;
     } catch (GeneralSecurityException e) {
       log.error("Could not generate raw dek for " + key.getSubject(), e);
       throw new DekGenerationException("Could not generate raw dek for " + key.getSubject());
@@ -624,6 +629,8 @@ private KeyEncryptionKey putKek(String name, UpdateKekRequest request)
     KeyEncryptionKey newKey = new KeyEncryptionKey(name, key.getKmsType(),
         key.getKmsKeyId(), kmsProps, doc, shared, false);
     keys.put(keyId, newKey);
+    // Retrieve key with ts set
+    newKey = (KeyEncryptionKey) keys.get(keyId);
     return newKey;
   }
 
diff --git a/dek-registry/src/main/java/io/confluent/dekregistry/web/rest/resources/DekRegistryResource.java b/dek-registry/src/main/java/io/confluent/dekregistry/web/rest/resources/DekRegistryResource.java
index 8736e8c2301..be60196f992 100644
--- a/dek-registry/src/main/java/io/confluent/dekregistry/web/rest/resources/DekRegistryResource.java
+++ b/dek-registry/src/main/java/io/confluent/dekregistry/web/rest/resources/DekRegistryResource.java
@@ -318,6 +318,11 @@ public void deleteKek(
         headers, getSchemaRegistry().config().whitelistHeaders());
 
     try {
+      KeyEncryptionKey kek = dekRegistry.getKek(name, true);
+      if (kek == null) {
+        throw DekRegistryErrors.keyNotFoundException(name);
+      }
+
       dekRegistry.deleteKekOrForward(name, permanentDelete, headerProperties);
       asyncResponse.resume(Response.status(204).build());
     } catch (KeyNotSoftDeletedException e) {
@@ -358,6 +363,15 @@ public void deleteDek(
         headers, getSchemaRegistry().config().whitelistHeaders());
 
     try {
+      KeyEncryptionKey kek = dekRegistry.getKek(kekName, true);
+      if (kek == null) {
+        throw DekRegistryErrors.keyNotFoundException(kekName);
+      }
+      DataEncryptionKey key = dekRegistry.getDek(kekName, subject, algorithm, true);
+      if (key == null) {
+        throw DekRegistryErrors.keyNotFoundException(subject);
+      }
+
       dekRegistry.deleteDekOrForward(
           kekName, subject, algorithm, permanentDelete, headerProperties);
       asyncResponse.resume(Response.status(204).build());
diff --git a/dek-registry/src/test/java/io/confluent/dekregistry/web/rest/RestApiTest.java b/dek-registry/src/test/java/io/confluent/dekregistry/web/rest/RestApiTest.java
index 6951d61df2e..9c2717dc266 100644
--- a/dek-registry/src/test/java/io/confluent/dekregistry/web/rest/RestApiTest.java
+++ b/dek-registry/src/test/java/io/confluent/dekregistry/web/rest/RestApiTest.java
@@ -219,6 +219,7 @@ private void testBasic(Map<String, String> headers) throws Exception {
 
     newDek = client.getDek(kekName, subject, algorithm, false);
     assertEquals(dek, newDek);
+    assertNotNull(newDek.getTimestamp());
 
     // Create dek w/o key material
     try {
@@ -230,6 +231,7 @@ private void testBasic(Map<String, String> headers) throws Exception {
 
     newDek = client.getDek(kekName, subject, algorithm, false);
     assertEquals(dek, newDek);
+    assertNotNull(newDek.getTimestamp());
 
     Kek kek2 = new Kek(kekName, kmsType, kmsKeyId, kmsProps, doc, true, null);
 
@@ -244,11 +246,13 @@ private void testBasic(Map<String, String> headers) throws Exception {
     Dek dek2 = new Dek(kekName, subject, 1, algorithm, encryptedDekStr, rawDekStr, null);
     newDek = client.getDek(kekName, subject, algorithm, true);
     assertEquals(dek2, newDek);
+    assertNotNull(newDek.getTimestamp());
 
     // Create dek w/o key material, receive both encrypted and decrypted key material
     newDek = client.createDek(headers, kekName, subject2, algorithm, null);
     assertNotNull(newDek.getEncryptedKeyMaterial());
     assertNotNull(newDek.getKeyMaterial());
+    assertNotNull(newDek.getTimestamp());
 
     List<String> deks = client.listDeks(kekName, false);
     assertEquals(ImmutableList.of(subject, subject2), deks);
@@ -278,6 +282,7 @@ private void testBasic(Map<String, String> headers) throws Exception {
 
     newDek = client.getDek(kekName, subject, algorithm, true);
     assertEquals(dek2, newDek);
+    assertNotNull(newDek.getTimestamp());
 
     deks = client.listDeks(kekName, false);
     assertEquals(ImmutableList.of(subject2), deks);
@@ -302,6 +307,13 @@ private void testBasic(Map<String, String> headers) throws Exception {
     }
 
     client.deleteDek(headers, kekName, subject, algorithm, true);
+    try {
+      client.deleteDek(headers, kekName, subject, algorithm, true);
+      fail();
+    } catch (RestClientException e) {
+      assertEquals(DekRegistryErrors.KEY_NOT_FOUND_ERROR_CODE, e.getErrorCode());
+    }
+
     client.deleteDek(headers, kekName, subject2, algorithm, true);
 
     deks = client.listDeks(kekName, false);
@@ -311,6 +323,12 @@ private void testBasic(Map<String, String> headers) throws Exception {
     assertEquals(Collections.emptyList(), deks);
 
     client.deleteKek(headers, kekName, true);
+    try {
+      client.deleteKek(headers, kekName, true);
+      fail();
+    } catch (RestClientException e) {
+      assertEquals(DekRegistryErrors.KEY_NOT_FOUND_ERROR_CODE, e.getErrorCode());
+    }
   }
 
   @Test
@@ -348,6 +366,7 @@ public void testUnknownKmsType() throws Exception {
 
     newDek = client.getDek(kekName, subject, algorithm, false);
     assertEquals(dek, newDek);
+    assertNotNull(newDek.getTimestamp());
 
     // Create dek w/o key material, exception
     try {