diff --git a/src/settings/nm-agent-manager.c b/src/settings/nm-agent-manager.c
index 5a1dfcba20..8a5ea1068a 100644
--- a/src/settings/nm-agent-manager.c
+++ b/src/settings/nm-agent-manager.c
@@ -846,10 +846,10 @@ check_system_secrets_cb (NMSetting *setting,
 		/* VPNs are special; need to handle each secret separately */
 		g_hash_table_iter_init (&iter, (GHashTable *) g_value_get_boxed (value));
 		while (g_hash_table_iter_next (&iter, (gpointer *) &secret_name, NULL)) {
-			if (nm_setting_get_secret_flags (setting, secret_name, &secret_flags, NULL)) {
-				if (secret_flags == NM_SETTING_SECRET_FLAG_NONE)
-					*has_system = TRUE;
-			}
+			secret_flags = NM_SETTING_SECRET_FLAG_NONE;
+			nm_setting_get_secret_flags (setting, secret_name, &secret_flags, NULL);
+			if (secret_flags == NM_SETTING_SECRET_FLAG_NONE)
+				*has_system = TRUE;
 		}
 	} else {
 		nm_setting_get_secret_flags (setting, key, &secret_flags, NULL);
diff --git a/src/settings/nm-settings-connection.c b/src/settings/nm-settings-connection.c
index 9c23ebed6a..6f54e330e5 100644
--- a/src/settings/nm-settings-connection.c
+++ b/src/settings/nm-settings-connection.c
@@ -178,10 +178,10 @@ only_system_secrets_cb (NMSetting *setting,
 
 			g_hash_table_iter_init (&iter, (GHashTable *) g_value_get_boxed (value));
 			while (g_hash_table_iter_next (&iter, (gpointer *) &secret_name, NULL)) {
-				if (nm_setting_get_secret_flags (setting, secret_name, &secret_flags, NULL)) {
-					if (secret_flags != NM_SETTING_SECRET_FLAG_NONE)
-						nm_setting_vpn_remove_secret (NM_SETTING_VPN (setting), secret_name);
-				}
+				secret_flags = NM_SETTING_SECRET_FLAG_NONE;
+				nm_setting_get_secret_flags (setting, secret_name, &secret_flags, NULL);
+				if (secret_flags != NM_SETTING_SECRET_FLAG_NONE)
+					nm_setting_vpn_remove_secret (NM_SETTING_VPN (setting), secret_name);
 			}
 		} else {
 			nm_setting_get_secret_flags (setting, key, &secret_flags, NULL);
@@ -482,7 +482,7 @@ for_each_secret (NMConnection *connection,
 		/* Walk through the list of keys in each setting hash */
 		g_hash_table_iter_init (&secret_iter, setting_hash);
 		while (g_hash_table_iter_next (&secret_iter, (gpointer) &secret_name, (gpointer) &val)) {
-			NMSettingSecretFlags flags = NM_SETTING_SECRET_FLAG_NONE;
+			NMSettingSecretFlags secret_flags = NM_SETTING_SECRET_FLAG_NONE;
 
 			/* VPN secrets need slightly different treatment here since the
 			 * "secrets" property is actually a hash table of secrets.
@@ -493,16 +493,15 @@ for_each_secret (NMConnection *connection,
 				/* Iterate through each secret from the VPN hash in the overall secrets hash */
 				g_hash_table_iter_init (&vpn_secrets_iter, g_value_get_boxed (val));
 				while (g_hash_table_iter_next (&vpn_secrets_iter, (gpointer) &secret_name, NULL)) {
-					if (nm_setting_get_secret_flags (setting, secret_name, &flags, NULL)) {
-						if (callback (&vpn_secrets_iter, flags, callback_data) == FALSE)
-							return;
-					}
-				}
-			} else {
-				if (nm_setting_get_secret_flags (setting, secret_name, &flags, NULL)) {
-					if (callback (&secret_iter, flags, callback_data) == FALSE)
+					secret_flags = NM_SETTING_SECRET_FLAG_NONE;
+					nm_setting_get_secret_flags (setting, secret_name, &secret_flags, NULL);
+					if (callback (&vpn_secrets_iter, secret_flags, callback_data) == FALSE)
 						return;
 				}
+			} else {
+				nm_setting_get_secret_flags (setting, secret_name, &secret_flags, NULL);
+				if (callback (&secret_iter, secret_flags, callback_data) == FALSE)
+					return;
 			}
 		}
 	}
@@ -1017,10 +1016,10 @@ only_agent_secrets_cb (NMSetting *setting,
 			/* VPNs are special; need to handle each secret separately */
 			g_hash_table_iter_init (&iter, (GHashTable *) g_value_get_boxed (value));
 			while (g_hash_table_iter_next (&iter, (gpointer *) &secret_name, NULL)) {
-				if (nm_setting_get_secret_flags (setting, secret_name, &secret_flags, NULL)) {
-					if (secret_flags != NM_SETTING_SECRET_FLAG_AGENT_OWNED)
-						nm_setting_vpn_remove_secret (NM_SETTING_VPN (setting), secret_name);
-				}
+				secret_flags = NM_SETTING_SECRET_FLAG_NONE;
+				nm_setting_get_secret_flags (setting, secret_name, &secret_flags, NULL);
+				if (secret_flags != NM_SETTING_SECRET_FLAG_AGENT_OWNED)
+					nm_setting_vpn_remove_secret (NM_SETTING_VPN (setting), secret_name);
 			}
 		} else {
 			nm_setting_get_secret_flags (setting, key, &secret_flags, NULL);
diff --git a/src/settings/plugins/keyfile/writer.c b/src/settings/plugins/keyfile/writer.c
index 5ecf5891cf..eeb145560d 100644
--- a/src/settings/plugins/keyfile/writer.c
+++ b/src/settings/plugins/keyfile/writer.c
@@ -453,17 +453,22 @@ write_hash_of_string (GKeyFile *file,
 
 	g_hash_table_iter_init (&iter, (GHashTable *) g_value_get_boxed (value));
 	while (g_hash_table_iter_next (&iter, (gpointer *) &property, (gpointer *) &data)) {
-		NMSettingSecretFlags flags = NM_SETTING_SECRET_FLAG_NONE;
+		gboolean write_item = TRUE;
 
 		/* Handle VPN secrets specially; they are nested in the property's hash;
-		 * we don't want to write them if the secret is not saved or not required.
+		 * we don't want to write them if the secret is not saved, not required,
+		 * or owned by a user's secret agent.
 		 */
-		if (vpn_secrets && nm_setting_get_secret_flags (setting, property, &flags, NULL)) {
-			if (flags & (NM_SETTING_SECRET_FLAG_NOT_SAVED | NM_SETTING_SECRET_FLAG_NOT_REQUIRED))
-				continue;
+		if (vpn_secrets) {
+			NMSettingSecretFlags secret_flags = NM_SETTING_SECRET_FLAG_NONE;
+
+			nm_setting_get_secret_flags (setting, property, &secret_flags, NULL);
+			if (secret_flags != NM_SETTING_SECRET_FLAG_NONE)
+				write_item = FALSE;
 		}
 
-		g_key_file_set_string (file, group_name, property, data);
+		if (write_item)
+			g_key_file_set_string (file, group_name, property, data);
 	}
 }
 
@@ -799,7 +804,6 @@ write_setting_value (NMSetting *setting,
 	GType type = G_VALUE_TYPE (value);
 	KeyWriter *writer = &key_writers[0];
 	GParamSpec *pspec;
-	NMSettingSecretFlags flags = NM_SETTING_SECRET_FLAG_NONE;
 
 	/* Setting name gets picked up from the keyfile's section name instead */
 	if (!strcmp (key, NM_SETTING_NAME))
@@ -822,12 +826,17 @@ write_setting_value (NMSetting *setting,
 	}
 
 	/* Don't write secrets that are owned by user secret agents or aren't
-	 * supposed to be saved.
+	 * supposed to be saved.  VPN secrets are handled specially though since
+	 * the secret flags there are in a third-level hash in the 'secrets'
+	 * property.
 	 */
-	if (   (pspec->flags & NM_SETTING_PARAM_SECRET)
-	    && nm_setting_get_secret_flags (setting, key, &flags, NULL)
-	    && (flags != NM_SETTING_SECRET_FLAG_NONE))
-		return;
+	if (pspec->flags & NM_SETTING_PARAM_SECRET && !NM_IS_SETTING_VPN (setting)) {
+		NMSettingSecretFlags secret_flags = NM_SETTING_SECRET_FLAG_NONE;
+
+		nm_setting_get_secret_flags (setting, key, &secret_flags, NULL);
+		if (secret_flags != NM_SETTING_SECRET_FLAG_NONE)
+			return;
+	}
 
 	/* Look through the list of handlers for non-standard format key values */
 	while (writer->setting_name) {