diff --git a/src/core/instance/instance.cpp b/src/core/instance/instance.cpp
index 7fdcb64e7..7a87b9b79 100644
--- a/src/core/instance/instance.cpp
+++ b/src/core/instance/instance.cpp
@@ -432,6 +432,8 @@ void Instance::AfterInit(void)
     mIsInitialized = true;
 #if OPENTHREAD_MTD || OPENTHREAD_FTD
 
+    Get<KeyManager>().Init();
+
     // Restore datasets and network information
 
     Get<Settings>().Init();
diff --git a/src/core/thread/key_manager.cpp b/src/core/thread/key_manager.cpp
index b29da08a3..d3f5e2ce7 100644
--- a/src/core/thread/key_manager.cpp
+++ b/src/core/thread/key_manager.cpp
@@ -179,15 +179,8 @@ KeyManager::KeyManager(Instance &aInstance)
     otPlatCryptoInit();
 
 #if OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE
-    {
-        NetworkKey networkKey;
-
-        mNetworkKeyRef = Crypto::Storage::kInvalidKeyRef;
-        mPskcRef       = Crypto::Storage::kInvalidKeyRef;
-
-        IgnoreError(networkKey.GenerateRandom());
-        StoreNetworkKey(networkKey, /* aOverWriteExisting */ false);
-    }
+    mNetworkKeyRef = Crypto::Storage::kInvalidKeyRef;
+    mPskcRef       = Crypto::Storage::kInvalidKeyRef;
 #else
     IgnoreError(mNetworkKey.GenerateRandom());
     mPskc.Clear();
@@ -196,6 +189,16 @@ KeyManager::KeyManager(Instance &aInstance)
     mMacFrameCounters.Reset();
 }
 
+void KeyManager::Init(void)
+{
+#if OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE
+    NetworkKey networkKey;
+
+    IgnoreError(networkKey.GenerateRandom());
+    StoreNetworkKey(networkKey, /* aOverWriteExisting */ false);
+#endif
+}
+
 void KeyManager::Start(void)
 {
     mKeySwitchGuardTimer = 0;
diff --git a/src/core/thread/key_manager.hpp b/src/core/thread/key_manager.hpp
index a284ad645..4bb3bd987 100644
--- a/src/core/thread/key_manager.hpp
+++ b/src/core/thread/key_manager.hpp
@@ -228,6 +228,15 @@ public:
      */
     explicit KeyManager(Instance &aInstance);
 
+    /**
+     * Initializes the `KeyManager`.
+     *
+     * This method is called after OpenThread `Instance` is fully initialized (from `Instance::AfterInit()`). This
+     * ensures that all `Instance` components (including `KeyManager`) have been constructed and are safe to interact
+     * with (e.g., to save a default key in `Crypto::Storage::KeyRefManager`).
+     */
+    void Init(void);
+
     /**
      * Starts KeyManager rotation timer and sets guard timer to initial value.
      */