diff --git a/config/qa.env b/config/qa.env
index 29c54603..8806f79b 100644
--- a/config/qa.env
+++ b/config/qa.env
@@ -12,7 +12,7 @@ ENCRYPTED_NYPL_OAUTH_SECRET=AQECAHh7ea2tyZ6phZgT4B9BDKwguhlFtRC6hgt+7HbmeFsrsgAA
 
 NYPL_CORE_VERSION=v2.21
 
-LOG_LEVEL=info
+LOG_LEVEL=debug
 FEATURES=on-site-edd
 
 SEARCH_ITEMS_SIZE=3
diff --git a/lib/kms-helper.js b/lib/kms-helper.js
index a320e290..81cfd762 100644
--- a/lib/kms-helper.js
+++ b/lib/kms-helper.js
@@ -1,4 +1,5 @@
 const { KMSClient, DecryptCommand } = require('@aws-sdk/client-kms')
+const logger = require('./logger')
 
 let awsCredentials
 
@@ -16,6 +17,7 @@ async function decrypt (encrypted) {
   // Use credentials if given (local invocations). Otherwise rely on
   // environment (deployed code):
   if (awsCredentials) {
+    logger.debug('KMS decrypt using local AWS credentials')
     config.credentials = awsCredentials
   }
   const client = new KMSClient(config)
diff --git a/lib/load-config.js b/lib/load-config.js
index e0915171..bce305c1 100644
--- a/lib/load-config.js
+++ b/lib/load-config.js
@@ -57,7 +57,7 @@ module.exports.decryptEncryptedConfig = () => {
         const keyWithoutPrefix = key.replace(/^ENCRYPTED_/, '')
         const decrypted = await decrypt(process.env[key])
           .catch((e) => {
-            logger.error(`Load-config: Failed to decrypt ${key}`)
+            logger.error(`Load-config: Failed to decrypt ${key}: ${e}`)
           })
         logger.debug(`Load-config: Decrypted ${key}`)
         process.env[keyWithoutPrefix] = decrypted