diff --git a/server/http.go b/server/http.go
index 3bcc82841054da8f7535c0bade374bb1b9d8e640..208067ba900f910c9a48def255d403d0aef2444f 100644
--- a/server/http.go
+++ b/server/http.go
@@ -146,15 +146,17 @@ func New(loginService *LoginService, authClient authclient.Client, config *Confi
 }
 
 func (h *Server) loginCallback(w http.ResponseWriter, req *http.Request, username, password string, userinfo *auth.UserInfo) error {
-	log.Printf("successful login for user %s", username)
-
 	// Open the keystore for this user with the password used to
 	// authenticate. Set the TTL to the duration of the
 	// authenticated session.
+	var kmsg string
 	if h.keystore != nil {
 		var shard string
 		if userinfo != nil {
 			shard = userinfo.Shard
+			kmsg = fmt.Sprintf(" (unlocked key on shard %s)", shard)
+		} else {
+			kmsg = " (unlocked key)"
 		}
 		if err := h.keystore.Open(req.Context(), shard, username, password, int(h.authSessionLifetime.Seconds())); err != nil {
 			log.Printf("failed to unlock keystore for user %s: %v", username, err)
@@ -162,6 +164,8 @@ func (h *Server) loginCallback(w http.ResponseWriter, req *http.Request, usernam
 		}
 	}
 
+	log.Printf("successful login for user %s%s", username, kmsg)
+
 	// Create cookie-based session for the authenticated user.
 	session := newAuthSession(h.authSessionLifetime, username, userinfo)
 	httpSession, _ := h.authSessionStore.Get(req, authSessionKey) // nolint