diff --git a/src/common.hpp b/src/common.hpp
index b8523e9..a84c66c 100644
--- a/src/common.hpp
+++ b/src/common.hpp
@@ -109,6 +109,9 @@
 const time::seconds DEFAULT_KDK_FRESHNESS_PERIOD = 1_h;
 const time::seconds DEFAULT_CK_FRESHNESS_PERIOD = 1_h;
 
+const time::seconds RETRY_DELAY_AFTER_NACK = 1_s;
+const time::seconds RETRY_DELAY_KEK_RETRIEVAL = 60_s;
+
 enum class ErrorCode {
   KekRetrievalFailure = 1,
   KekRetrievalTimeout = 2,
diff --git a/src/encryptor.cpp b/src/encryptor.cpp
index 26b9a73..0472e1e 100644
--- a/src/encryptor.cpp
+++ b/src/encryptor.cpp
@@ -38,11 +38,13 @@
   , m_ckBits{AES_KEY_SIZE}
   , m_ckDataSigningInfo{std::move(ckDataSigningInfo)}
   , m_isKekRetrievalInProgress(false)
+  , m_onFailure(onFailure)
   , m_ckRegId{nullptr}
   , m_keyChain{keyChain}
   , m_face{face}
+  , m_scheduler{face.getIoService()}
 {
-  regenerateCk(onFailure);
+  regenerateCk();
 
   auto serveFromIms = [this] (const Name& prefix, const Interest& interest) {
     auto data = m_ims.find(interest);
@@ -72,31 +74,42 @@
 }
 
 void
-Encryptor::regenerateCk(const ErrorCallback& onFailure)
+Encryptor::retryFetchingKek()
+{
+  if (m_isKekRetrievalInProgress) {
+    return;
+  }
+
+  NDN_LOG_DEBUG("Retrying fetching of KEK");
+  m_isKekRetrievalInProgress = true;
+  fetchKekAndPublishCkData([&] {
+      NDN_LOG_DEBUG("KEK retrieved and published");
+      m_isKekRetrievalInProgress = false;
+    },
+    [=] (const ErrorCode& code, const std::string& msg) {
+      NDN_LOG_ERROR("Failed to retrieved KEK: " + msg);
+      m_isKekRetrievalInProgress = false;
+      m_onFailure(code, msg);
+    },
+    N_RETRIES);
+}
+
+void
+Encryptor::regenerateCk()
 {
   m_ckName = m_ckPrefix;
   m_ckName
     .append(CK)
     .appendVersion(); // version = ID of CK
-  random::generateSecureBytes(m_ckBits.data(), m_ckBits.size());
-
   NDN_LOG_DEBUG("Generating new CK: " << m_ckName);
+  random::generateSecureBytes(m_ckBits.data(), m_ckBits.size());
 
   // one implication: if CK updated before KEK fetched, KDK for the old CK will not be published
   if (!m_kek) {
-    m_isKekRetrievalInProgress = true;
-    fetchKekAndPublishCkData([&] {
-        NDN_LOG_DEBUG("KEK retrieved and published");
-        m_isKekRetrievalInProgress = false;
-      },
-      [&] (const ErrorCode&, const std::string& msg) {
-        NDN_LOG_ERROR("Failed to retrieved KEK: " + msg);
-        m_isKekRetrievalInProgress = false;
-      },
-      N_RETRIES);
+    retryFetchingKek();
   }
   else {
-    makeAndPublishCkData(onFailure);
+    makeAndPublishCkData(m_onFailure);
   }
 }
 
@@ -145,9 +158,20 @@
                            },
                            [=] (const Interest& i, const lp::Nack& nack) {
                              m_kekPendingInterest = nullptr;
-                             onFailure(ErrorCode::KekRetrievalFailure,
-                                       "Retrieval of KEK [" + i.getName().toUri() + "] failed. "
-                                       "Got NACK (" + boost::lexical_cast<std::string>(nack.getReason()) + ")");
+                             if (nTriesLeft > 1) {
+                               m_scheduler.scheduleEvent(RETRY_DELAY_AFTER_NACK, [=] {
+                                   fetchKekAndPublishCkData(onReady, onFailure, nTriesLeft - 1);
+                                 });
+                             }
+                             else {
+                               onFailure(ErrorCode::KekRetrievalFailure,
+                                         "Retrieval of KEK [" + i.getName().toUri() + "] failed. "
+                                         "Got NACK (" + boost::lexical_cast<std::string>(nack.getReason()) + ")");
+                               NDN_LOG_DEBUG("Scheduling retry from NACK");
+                               m_scheduler.scheduleEvent(RETRY_DELAY_KEK_RETRIEVAL, [=] {
+                                   retryFetchingKek();
+                                 });
+                             }
                            },
                            [=] (const Interest& i) {
                              m_kekPendingInterest = nullptr;
@@ -157,6 +181,10 @@
                              else {
                                onFailure(ErrorCode::KekRetrievalTimeout,
                                          "Retrieval of KEK [" + i.getName().toUri() + "] timed out");
+                               NDN_LOG_DEBUG("Scheduling retry after all timeouts");
+                               m_scheduler.scheduleEvent(RETRY_DELAY_KEK_RETRIEVAL, [=] {
+                                   retryFetchingKek();
+                                 });
                              }
                            });
 }
diff --git a/src/encryptor.hpp b/src/encryptor.hpp
index 679f6d4..34d69bb 100644
--- a/src/encryptor.hpp
+++ b/src/encryptor.hpp
@@ -40,7 +40,10 @@
    *                      (each will have unique version appended)
    * @param ckDataSigningInfo  SigningInfo parameters to sign CK Data
    * @param onFailure     Callback to notify application of a failure to create CK data
-   *                      (failed to fetch KEK, failed to encrypt with KEK, etc.)
+   *                      (failed to fetch KEK, failed to encrypt with KEK, etc.).
+   *                      Note that Encryptor will continue trying to retrieve KEK until success
+   *                      (each attempt separated by `RETRY_DELAY_KEK_RETRIEVAL`) and @p onFailure
+   *                      may be called multiple times.
    * @param validator     Validation policy to ensure correctness of KEK
    * @param keyChain      KeyChain
    * @param face          Face that will be used to fetch KEK and publish CK data
@@ -78,7 +81,7 @@
    *       before KEK fetched
    */
   void
-  regenerateCk(const ErrorCallback& onFailure);
+  regenerateCk();
 
 public: // accessor interface for published data packets
 
@@ -114,6 +117,9 @@
 
 private:
   void
+  retryFetchingKek();
+
+  void
   fetchKekAndPublishCkData(const std::function<void()>& onReady,
                            const ErrorCallback& onFailure,
                            size_t nTriesLeft);
@@ -130,6 +136,7 @@
 
   bool m_isKekRetrievalInProgress;
   optional<Data> m_kek;
+  ErrorCallback m_onFailure;
 
   InMemoryStoragePersistent m_ims; // for encrypted CKs
   const RegisteredPrefixId* m_ckRegId = nullptr;
@@ -137,6 +144,7 @@
 
   KeyChain& m_keyChain;
   Face& m_face;
+  Scheduler m_scheduler;
 };
 
 } // namespace nac