diff --git a/exp/services/recoverysigner/cmd/keyset.go b/exp/services/recoverysigner/cmd/keyset.go
index fb2cfd3075..333b0d69c4 100644
--- a/exp/services/recoverysigner/cmd/keyset.go
+++ b/exp/services/recoverysigner/cmd/keyset.go
@@ -143,7 +143,7 @@ func createKeyset(kmsKeyURI string, keyTemplate *tinkpb.KeyTemplate) (publicClea
 
 	khPub, err := khPriv.Public()
 	if err != nil {
-		return "", "", "", errors.Wrap(err, "getting keyhandle for public key")
+		return "", "", "", errors.Wrap(err, "getting key handle for keyset public")
 	}
 
 	err = khPub.WriteWithNoSecrets(keyset.NewJSONWriter(&keysetPublic))
@@ -188,12 +188,12 @@ func rotateKeyset(kmsKeyURI, keysetJSON string, keyTemplate *tinkpb.KeyTemplate)
 
 		khPriv, err = keyset.Read(keyset.NewJSONReader(strings.NewReader(keysetJSON)), aead)
 		if err != nil {
-			return "", "", "", errors.Wrap(err, "reading encrypted keyset")
+			return "", "", "", errors.Wrap(err, "getting key handle for keyset private by reading an encrypted keyset")
 		}
 	} else {
 		khPriv, err = insecurecleartextkeyset.Read(keyset.NewJSONReader(strings.NewReader(keysetJSON)))
 		if err != nil {
-			return "", "", "", errors.Wrap(err, "getting key handle for private key")
+			return "", "", "", errors.Wrap(err, "getting key handle for keyset private by reading a cleartext keyset")
 		}
 	}
 
@@ -205,7 +205,7 @@ func rotateKeyset(kmsKeyURI, keysetJSON string, keyTemplate *tinkpb.KeyTemplate)
 
 	khPriv, err = m.Handle()
 	if err != nil {
-		return "", "", "", errors.Wrap(err, "creating handle for the new keyset")
+		return "", "", "", errors.Wrap(err, "creating key handle for the rotated keyset private")
 	}
 
 	keysetPrivateEncrypted := strings.Builder{}
@@ -226,7 +226,7 @@ func rotateKeyset(kmsKeyURI, keysetJSON string, keyTemplate *tinkpb.KeyTemplate)
 
 	khPub, err := khPriv.Public()
 	if err != nil {
-		return "", "", "", errors.Wrap(err, "getting keyhandle for public keys")
+		return "", "", "", errors.Wrap(err, "getting key handle for keyset public")
 	}
 
 	err = khPub.WriteWithNoSecrets(keyset.NewJSONWriter(&keysetPublic))
@@ -267,7 +267,7 @@ func decryptKeyset(kmsKeyURI, keysetJSON string) (publicCleartext string, privat
 
 	khPriv, err := keyset.Read(keyset.NewJSONReader(strings.NewReader(keysetJSON)), aead)
 	if err != nil {
-		return "", "", errors.Wrap(err, "reading encrypted keyset")
+		return "", "", errors.Wrap(err, "getting key handle for keyset private by reading an encrypted keyset")
 	}
 
 	keysetPrivateCleartext := strings.Builder{}
@@ -278,7 +278,7 @@ func decryptKeyset(kmsKeyURI, keysetJSON string) (publicCleartext string, privat
 
 	khPub, err := khPriv.Public()
 	if err != nil {
-		return "", "", errors.Wrap(err, "getting keyhandle for public keys")
+		return "", "", errors.Wrap(err, "getting key handle for keyset public")
 	}
 
 	keysetPublic := strings.Builder{}
@@ -318,7 +318,7 @@ func encryptKeyset(kmsKeyURI, keysetJSON string) (publicCleartext string, privat
 
 	khPriv, err := insecurecleartextkeyset.Read(keyset.NewJSONReader(strings.NewReader(keysetJSON)))
 	if err != nil {
-		return "", "", errors.Wrap(err, "getting key handle for private key")
+		return "", "", errors.Wrap(err, "getting key handle for keyset private by reading a cleartext keyset")
 	}
 
 	keysetPrivateEncrypted := strings.Builder{}
@@ -329,7 +329,7 @@ func encryptKeyset(kmsKeyURI, keysetJSON string) (publicCleartext string, privat
 
 	khPub, err := khPriv.Public()
 	if err != nil {
-		return "", "", errors.Wrap(err, "getting keyhandle for public keys")
+		return "", "", errors.Wrap(err, "getting key handle for keyset public")
 	}
 
 	keysetPublic := strings.Builder{}
diff --git a/exp/services/recoverysigner/cmd/keyset_test.go b/exp/services/recoverysigner/cmd/keyset_test.go
index f9e6d11bce..3777bf0e58 100644
--- a/exp/services/recoverysigner/cmd/keyset_test.go
+++ b/exp/services/recoverysigner/cmd/keyset_test.go
@@ -163,27 +163,27 @@ func TestRotateKeyset_invalidKMSKeyURI(t *testing.T) {
 func TestRotateKeyset_noEncryptionTinkKeyset(t *testing.T) {
 	_, _, _, err := rotateKeyset("", "", hybrid.ECIESHKDFAES128GCMKeyTemplate())
 	require.Error(t, err)
-	assert.Contains(t, err.Error(), "getting key handle for private key")
+	assert.Contains(t, err.Error(), "getting key handle for keyset private by reading a cleartext keyset")
 }
 
 func TestDecryptKeyset_invalidKMSKeyURI(t *testing.T) {
 	// encrption-kms-key-uri is not configured
-	_, err := decryptKeyset("", "keysetJSON")
+	_, _, err := decryptKeyset("", "keysetJSON")
 	require.Error(t, err)
 	assert.Equal(t, err, errNoKMSKeyURI)
 
-	_, err = decryptKeyset("invalid-uri", "keysetJSON")
+	_, _, err = decryptKeyset("invalid-uri", "keysetJSON")
 	require.Error(t, err)
 	assert.Contains(t, err.Error(), "initializing AWS KMS client")
 }
 
 func TestEncryptKeyset_invalidKMSKeyURI(t *testing.T) {
 	// encrption-kms-key-uri is not configured
-	_, err := encryptKeyset("", "keysetJSON")
+	_, _, err := encryptKeyset("", "keysetJSON")
 	require.Error(t, err)
 	assert.Equal(t, err, errNoKMSKeyURI)
 
-	_, err = encryptKeyset("invalid-uri", "keysetJSON")
+	_, _, err = encryptKeyset("invalid-uri", "keysetJSON")
 	require.Error(t, err)
 	assert.Contains(t, err.Error(), "initializing AWS KMS client")
 }