diff --git a/lib/mongo/crypt/explicit_encrypter.rb b/lib/mongo/crypt/explicit_encrypter.rb
index cce570e441..ffe885976b 100644
--- a/lib/mongo/crypt/explicit_encrypter.rb
+++ b/lib/mongo/crypt/explicit_encrypter.rb
@@ -257,6 +257,8 @@ def remove_key_alt_name(id, key_alt_name)
       #
       # @return [ Crypt::RewrapManyDataKeyResult ] Result of the operation.
       def rewrap_many_data_key(filter, opts = {})
+        validate_rewrap_options!(opts)
+
         master_key_document = if opts[:provider]
           options = opts.dup
           provider = options.delete(:provider)
@@ -291,6 +293,18 @@ def rewrap_many_data_key(filter, opts = {})
           @encryption_io.update_data_keys(updates)
         )
       end
+
+      # Ensures the consistency of the options passed to #rewrap_many_data_keys.
+      #
+      # @param [Hash] opts the options hash to validate
+      #
+      # @raise [ ArgumentError ] if the options are not consistent or
+      #   compatible.
+      def validate_rewrap_options!(opts)
+        if opts.key?(:master_key) && !opts.key?(:provider)
+          raise ArgumentError, 'If :master_key is specified, :provider must also be given'
+        end
+      end
     end
   end
 end
diff --git a/spec/integration/client_side_encryption/rewrap_prose_spec.rb b/spec/integration/client_side_encryption/rewrap_prose_spec.rb
index 9ba2e19bfc..86958929f2 100644
--- a/spec/integration/client_side_encryption/rewrap_prose_spec.rb
+++ b/spec/integration/client_side_encryption/rewrap_prose_spec.rb
@@ -101,6 +101,13 @@
           expect(client_encryption1.decrypt(ciphertext)).to eq('test')
           expect(client_encryption2.decrypt(ciphertext)).to eq('test')
         end
+
+        context 'when master_key is present without provider' do
+          it 'raises an exception' do
+            expect { client_encryption1.rewrap_many_data_key({}, master_key: {}) }
+              .to raise_error(ArgumentError, /provider/)
+          end
+        end
       end
     end
   end