diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/securitytoken/operations/SecurityTokenChangeKeyTokenOp.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/securitytoken/operations/SecurityTokenChangeKeyTokenOp.java
index 25b358c8c..3618731ab 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/securitytoken/operations/SecurityTokenChangeKeyTokenOp.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/securitytoken/operations/SecurityTokenChangeKeyTokenOp.java
@@ -102,11 +102,10 @@ public class SecurityTokenChangeKeyTokenOp {
         try {
             secretKey.unlock(passphrase);
 
+            byte[] attributesForSecretKey = createAttributesForSecretKey(slot, secretKey);
+            setKeyAttributes(adminPin, slot, attributesForSecretKey);
+
             OpenPgpCapabilities openPgpCapabilities = connection.getOpenPgpCapabilities();
-
-            setKeyAttributes(adminPin, slot, SecurityTokenUtils.attributesFromSecretKey(slot, secretKey,
-                    openPgpCapabilities.getFormatForKeyType(slot)));
-
             KeyFormat formatForKeyType = openPgpCapabilities.getFormatForKeyType(slot);
             switch (formatForKeyType.keyFormatType()) {
                 case RSAKeyFormatType:
@@ -152,6 +151,13 @@ public class SecurityTokenChangeKeyTokenOp {
         }
     }
 
+    private byte[] createAttributesForSecretKey(KeyType slot, CanonicalizedSecretKey secretKey) throws IOException {
+        OpenPgpCapabilities openPgpCapabilities = connection.getOpenPgpCapabilities();
+        KeyFormat formatForKeyType = openPgpCapabilities.getFormatForKeyType(slot);
+
+        return SecurityTokenUtils.attributesFromSecretKey(slot, secretKey, formatForKeyType);
+    }
+
     private void setKeyAttributes(Passphrase adminPin, KeyType keyType, byte[] data) throws IOException {
         if (!connection.getOpenPgpCapabilities().isAttributesChangable()) {
             return;