diff --git a/Cargo.lock b/Cargo.lock
index ad8fc09..646310f 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -154,9 +154,9 @@ checksum = "d92bec98840b8f03a5ff5413de5293bfcd8bf96467cf5452609f939ec6f5de16"
 
 [[package]]
 name = "ascii-armor"
-version = "0.7.0"
+version = "0.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f834c431d27e0e6bedf95c9ee4dbea02fa4e4cd5bc26a61e5a418427178c5495"
+checksum = "9ad861dfcd5f348ac79e0df2e70494641c62d3ac37587af68c52a16ab355afdb"
 dependencies = [
  "amplify",
  "baid64",
diff --git a/Cargo.toml b/Cargo.toml
index a5ad52d..2220b1f 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -23,7 +23,7 @@ required-features = ["cli"]
 [dependencies]
 amplify = "4.6.0"
 strict_encoding = "2.7.0-beta.4"
-ascii-armor = "0.7.0"
+ascii-armor = "0.7.1"
 baid64 = "0.2.2"
 base64 = "0.22.1"
 secp256k1 = { version = "0.29.0", features = ["rand", "global-context", "rand-std"] }
diff --git a/src/encrypt.rs b/src/encrypt.rs
index 70dcde4..25b9ceb 100644
--- a/src/encrypt.rs
+++ b/src/encrypt.rs
@@ -35,18 +35,21 @@ use crate::{Algo, InvalidPubkey, SsiPair, SsiPub, LIB_NAME_SSI};
 
 #[derive(Copy, Clone, Debug, Display, Error)]
 pub enum EncryptionError {
-    #[display("the number of receivers exceeds 2^16")]
+    #[display("the number of receivers exceeds 2^16.")]
     TooManyReceivers,
-    #[display("invalid public key {0}")]
+    #[display("invalid public key {0}.")]
     InvalidPubkey(SsiPub),
 }
 
-#[derive(Copy, Clone, Debug, Display, Error)]
+#[derive(Copy, Clone, Debug, Display, Error, From)]
 pub enum DecryptionError {
-    #[display("the message can't be decrypted using key {0}")]
+    #[display("the message can't be decrypted using key {0}.")]
     KeyMismatch(SsiPub),
-    #[display("invalid public key {0}")]
+    #[display("invalid public key {0}.")]
     InvalidPubkey(SsiPub),
+    #[from(aes_gcm::Error)]
+    #[display("unable to decrypt data.")]
+    Decrypt,
 }
 
 #[derive(Clone, Debug, From)]
@@ -142,7 +145,7 @@ impl Encrypted {
         let key = pair
             .decrypt_key(key)
             .map_err(|_| DecryptionError::InvalidPubkey(pair.pk))?;
-        Ok(decrypt(self.data.as_slice(), self.nonce.into(), key))
+        Ok(decrypt(self.data.as_slice(), self.nonce.into(), key)?)
     }
 }
 
@@ -195,13 +198,12 @@ pub fn encrypt(source: Vec<u8>, key: impl AsRef<[u8]>) -> (Nonce<Aes256Gcm>, Vec
     (nonce, ciphered_data)
 }
 
-pub fn decrypt(encrypted: &[u8], nonce: Nonce<Aes256Gcm>, key: impl AsRef<[u8]>) -> Vec<u8> {
+pub fn decrypt(
+    encrypted: &[u8],
+    nonce: Nonce<Aes256Gcm>,
+    key: impl AsRef<[u8]>,
+) -> Result<Vec<u8>, aes_gcm::Error> {
     let key = Sha256::digest(key.as_ref());
     let key = aes_gcm::Key::<Aes256Gcm>::from_slice(key.as_slice());
-
-    let cipher = Aes256Gcm::new(key);
-
-    cipher
-        .decrypt(&nonce, encrypted)
-        .expect("failed to decrypt data")
+    Aes256Gcm::new(key).decrypt(&nonce, encrypted)
 }
diff --git a/src/secret.rs b/src/secret.rs
index 9e35614..ee80a89 100644
--- a/src/secret.rs
+++ b/src/secret.rs
@@ -50,6 +50,10 @@ pub enum RevealError {
 
     /// unsupported algorithm #{0}.
     Unsupported(u8),
+
+    /// unable to decrypt data.
+    #[from(aes_gcm::Error)]
+    Decrypt,
 }
 
 #[derive(Clone, Eq, PartialEq, Ord, PartialOrd, Hash)]
@@ -62,7 +66,7 @@ pub struct EncryptedSecret {
 
 impl EncryptedSecret {
     pub fn reveal(&self, passwd: impl AsRef<str>) -> Result<SsiSecret, RevealError> {
-        let sk = decrypt(&self.key, self.nonce, passwd.as_ref());
+        let sk = decrypt(&self.key, self.nonce, passwd.as_ref())?;
         match self.algo {
             Algo::Ed25519 => Ok(ec25519::SecretKey::from_slice(&sk)?.into()),
             Algo::Bip340 => Ok(secp256k1::SecretKey::from_slice(&sk)?.into()),