diff --git a/internal/database/external_accounts_test.go b/internal/database/external_accounts_test.go
index 943bc1c2e3a..04e136a1af7 100644
--- a/internal/database/external_accounts_test.go
+++ b/internal/database/external_accounts_test.go
@@ -384,7 +384,7 @@ func TestExternalAccounts_Encryption(t *testing.T) {
 	}
 
 	// values encrypted should not be readable without the encrypting key
-	noopStore := store.WithEncryptionKey(&encryption.NoopKey{})
+	noopStore := store.WithEncryptionKey(&encryption.NoopKey{FailDecrypt: true})
 	if _, err := noopStore.List(ctx, ExternalAccountsListOptions{}); err == nil {
 		t.Fatalf("expected error decrypting with a different key")
 	}
diff --git a/internal/database/external_services_test.go b/internal/database/external_services_test.go
index ebfeabca222..ac221ebdd10 100644
--- a/internal/database/external_services_test.go
+++ b/internal/database/external_services_test.go
@@ -13,11 +13,12 @@ import (
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/keegancsmith/sqlf"
 	"github.com/lib/pq"
-	"github.com/sourcegraph/sourcegraph/internal/api"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tidwall/gjson"
 
+	"github.com/sourcegraph/sourcegraph/internal/api"
+
 	"github.com/sourcegraph/log/logtest"
 
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/envvar"
@@ -1163,7 +1164,7 @@ func TestExternalServicesStore_GetByID_Encrypted(t *testing.T) {
 	}
 
 	// values encrypted should not be readable without the encrypting key
-	noopStore := store.WithEncryptionKey(&encryption.NoopKey{})
+	noopStore := store.WithEncryptionKey(&encryption.NoopKey{FailDecrypt: true})
 	if _, err := noopStore.GetByID(ctx, es.ID); err == nil {
 		t.Fatalf("expected error decrypting with a different key")
 	}
@@ -2004,7 +2005,7 @@ func TestExternalServicesStore_Upsert(t *testing.T) {
 		}
 
 		// values encrypted should not be readable without the encrypting key
-		noopStore := ExternalServicesWith(logger, tx).WithEncryptionKey(&encryption.NoopKey{})
+		noopStore := ExternalServicesWith(logger, tx).WithEncryptionKey(&encryption.NoopKey{FailDecrypt: true})
 
 		for _, e := range want {
 			if _, err := noopStore.GetByID(ctx, e.ID); err == nil {
diff --git a/internal/encryption/helpers.go b/internal/encryption/helpers.go
index fb6a61e3303..8ea2726e43f 100644
--- a/internal/encryption/helpers.go
+++ b/internal/encryption/helpers.go
@@ -27,7 +27,9 @@ func MaybeEncrypt(ctx context.Context, key Key, data string) (_, keyIdent string
 		return "", "", err
 	}
 
+	span, ctx = ot.StartSpanFromContext(ctx, "key.Version")
 	version, err := key.Version(ctx)
+	span.Finish()
 	if err != nil {
 		return "", "", errors.Wrap(err, "failed to get encryption key version")
 	}
@@ -47,18 +49,18 @@ func MaybeDecrypt(ctx context.Context, key Key, data, keyIdent string) (string,
 	if key == nil {
 		return data, errors.Errorf("key mismatch: value is encrypted but no encryption key available in site-config")
 	}
-	version, err := key.Version(ctx)
-	if err != nil {
-		return "", errors.Wrap(err, "failed to get encryption key version")
-	}
-	if keyIdent != version.JSON() {
-		return "", errors.New("key mismatch: value is encrypted with an encryption key distinct from the one available in site-config")
-	}
 
 	span, ctx := ot.StartSpanFromContext(ctx, "key.Decrypt")
 	decrypted, err := key.Decrypt(ctx, []byte(data))
 	span.Finish()
 	if err != nil {
+		span, ctx = ot.StartSpanFromContext(ctx, "key.Version")
+		version, versionErr := key.Version(ctx)
+		span.Finish()
+		if versionErr == nil && keyIdent != version.JSON() {
+			return "", errors.New("key mismatch: value is encrypted with an encryption key distinct from the one available in site-config")
+		}
+
 		return data, err
 	}
 
diff --git a/internal/encryption/noop.go b/internal/encryption/noop.go
index 06d654b5094..bc032ddbeb7 100644
--- a/internal/encryption/noop.go
+++ b/internal/encryption/noop.go
@@ -2,11 +2,15 @@ package encryption
 
 import (
 	"context"
+
+	"github.com/sourcegraph/sourcegraph/lib/errors"
 )
 
 var _ Key = &NoopKey{}
 
-type NoopKey struct{}
+type NoopKey struct {
+	FailDecrypt bool
+}
 
 func (k *NoopKey) Version(ctx context.Context) (KeyVersion, error) {
 	return KeyVersion{
@@ -21,6 +25,10 @@ func (k *NoopKey) Encrypt(ctx context.Context, plaintext []byte) ([]byte, error)
 }
 
 func (k *NoopKey) Decrypt(ctx context.Context, ciphertext []byte) (*Secret, error) {
+	if k.FailDecrypt {
+		return nil, errors.New("unsupported decrypt")
+	}
+
 	s := NewSecret(string(ciphertext))
 	return &s, nil
 }