diff --git a/src/applications/passphrase/conduit/PassphraseQueryConduitAPIMethod.php b/src/applications/passphrase/conduit/PassphraseQueryConduitAPIMethod.php
index 18010efd73..387e01cb2e 100644
--- a/src/applications/passphrase/conduit/PassphraseQueryConduitAPIMethod.php
+++ b/src/applications/passphrase/conduit/PassphraseQueryConduitAPIMethod.php
@@ -63,9 +63,12 @@ final class PassphraseQueryConduitAPIMethod
 
       $material = array();
 
+      $is_locked = $credential->getIsLocked();
+      $allow_api = ($credential->getAllowConduit() && !$is_locked);
+
       $secret = null;
       if ($request->getValue('needSecrets')) {
-        if ($credential->getAllowConduit()) {
+        if ($allow_api) {
           $secret = $credential->getSecret();
           if ($secret) {
             $secret = $secret->openEnvelope();
@@ -102,7 +105,7 @@ final class PassphraseQueryConduitAPIMethod
           break;
       }
 
-      if (!$credential->getAllowConduit()) {
+      if (!$allow_api) {
         $material['noAPIAccess'] = pht(
           'This private material for this credential is not accessible via '.
           'API calls.');
diff --git a/src/applications/passphrase/controller/PassphraseCredentialConduitController.php b/src/applications/passphrase/controller/PassphraseCredentialConduitController.php
index b86d18c227..ce8f21f62d 100644
--- a/src/applications/passphrase/controller/PassphraseCredentialConduitController.php
+++ b/src/applications/passphrase/controller/PassphraseCredentialConduitController.php
@@ -33,8 +33,22 @@ final class PassphraseCredentialConduitController
       throw new Exception(pht('Credential has invalid type "%s"!', $type));
     }
 
+    $is_locked = $credential->getIsLocked();
+
+    if ($is_locked) {
+      return $this->newDialog()
+        ->setUser($viewer)
+        ->setTitle(pht('Credential Locked'))
+        ->appendChild(
+          pht(
+            'This credential can not be made available via Conduit because '.
+            'it is locked.'))
+        ->addCancelButton($view_uri);
+    }
+
     if ($request->isFormPost()) {
       $xactions = array();
+
       $xactions[] = id(new PassphraseCredentialTransaction())
         ->setTransactionType(PassphraseCredentialTransaction::TYPE_CONDUIT)
         ->setNewValue(!$credential->getAllowConduit());
diff --git a/src/applications/passphrase/controller/PassphraseCredentialEditController.php b/src/applications/passphrase/controller/PassphraseCredentialEditController.php
index a814b5dc72..bdb1802880 100644
--- a/src/applications/passphrase/controller/PassphraseCredentialEditController.php
+++ b/src/applications/passphrase/controller/PassphraseCredentialEditController.php
@@ -270,8 +270,7 @@ final class PassphraseCredentialEditController extends PassphraseController {
     }
 
     if ($type->shouldRequireUsername()) {
-      $form
-      ->appendChild(
+      $form->appendChild(
         id(new AphrontFormTextControl())
           ->setName('username')
           ->setLabel(pht('Login/Username'))
@@ -279,13 +278,13 @@ final class PassphraseCredentialEditController extends PassphraseController {
           ->setDisabled($credential_is_locked)
           ->setError($e_username));
     }
-       $form
-       ->appendChild(
-        $secret_control
-          ->setName('secret')
-          ->setLabel($type->getSecretLabel())
-          ->setDisabled($credential_is_locked)
-          ->setValue($v_secret));
+
+    $form->appendChild(
+      $secret_control
+        ->setName('secret')
+        ->setLabel($type->getSecretLabel())
+        ->setDisabled($credential_is_locked)
+        ->setValue($v_secret));
 
     if ($type->shouldShowPasswordField()) {
       $form->appendChild(
diff --git a/src/applications/passphrase/controller/PassphraseCredentialLockController.php b/src/applications/passphrase/controller/PassphraseCredentialLockController.php
index 4a872d8667..9832705427 100644
--- a/src/applications/passphrase/controller/PassphraseCredentialLockController.php
+++ b/src/applications/passphrase/controller/PassphraseCredentialLockController.php
@@ -32,15 +32,17 @@ final class PassphraseCredentialLockController
       return $this->newDialog()
         ->setTitle(pht('Credential Already Locked'))
         ->appendChild(
-          pht(
-            'This credential has been locked and the secret is '.
-            'hidden forever. Anything relying on this credential will '.
-            'still function. This operation can not be undone.'))
+          pht('This credential is already locked.'))
         ->addCancelButton($view_uri, pht('Close'));
     }
 
     if ($request->isFormPost()) {
       $xactions = array();
+
+      $xactions[] = id(new PassphraseCredentialTransaction())
+        ->setTransactionType(PassphraseCredentialTransaction::TYPE_CONDUIT)
+        ->setNewValue(0);
+
       $xactions[] = id(new PassphraseCredentialTransaction())
         ->setTransactionType(PassphraseCredentialTransaction::TYPE_LOCK)
         ->setNewValue(1);
@@ -48,6 +50,7 @@ final class PassphraseCredentialLockController
       $editor = id(new PassphraseCredentialTransactionEditor())
         ->setActor($viewer)
         ->setContinueOnMissingFields(true)
+        ->setContinueOnNoEffect(true)
         ->setContentSourceFromRequest($request)
         ->applyTransactions($credential, $xactions);
 
@@ -55,12 +58,13 @@ final class PassphraseCredentialLockController
     }
 
     return $this->newDialog()
-      ->setTitle(pht('Really lock credential?'))
+      ->setTitle(pht('Lock Credential'))
       ->appendChild(
         pht(
-          'This credential will be locked and the secret will be '.
-          'hidden forever. Anything relying on this credential will '.
-          'still function. This operation can not be undone.'))
+          'This credential will be locked and the secret will be hidden '.
+          'forever. If Conduit access is enabled, it will be revoked. '.
+          'Anything relying on this credential will still function. This '.
+          'operation can not be undone.'))
       ->addSubmitButton(pht('Lock Credential'))
       ->addCancelButton($view_uri);
   }
diff --git a/src/applications/passphrase/controller/PassphraseCredentialViewController.php b/src/applications/passphrase/controller/PassphraseCredentialViewController.php
index a154f846d1..aabb3821e0 100644
--- a/src/applications/passphrase/controller/PassphraseCredentialViewController.php
+++ b/src/applications/passphrase/controller/PassphraseCredentialViewController.php
@@ -119,6 +119,8 @@ final class PassphraseCredentialViewController extends PassphraseController {
       $credential,
       PhabricatorPolicyCapability::CAN_EDIT);
 
+    $can_conduit = ($can_edit && !$is_locked);
+
     $curtain = $this->newCurtainView($credential);
 
     $curtain->addAction(
@@ -161,7 +163,7 @@ final class PassphraseCredentialViewController extends PassphraseController {
           ->setName($credential_conduit_text)
           ->setIcon($credential_conduit_icon)
           ->setHref($this->getApplicationURI("conduit/{$id}/"))
-          ->setDisabled(!$can_edit)
+          ->setDisabled(!$can_conduit)
           ->setWorkflow(true));
 
       $curtain->addAction(