diff --git a/server/http.go b/server/http.go
index d7816976f3d822d42802d2994cbec7141f0e9098..7d293c62f1ab13ecd57e6f8e154ebc9dfc9b83dc 100644
--- a/server/http.go
+++ b/server/http.go
@@ -188,17 +188,17 @@ func New(loginService *LoginService, authClient authclient.Client, config *Confi
 
 // We unlock the keystore if the following conditions are met:
 // keystore_enable_groups is set, userinfo is not nil, and the groups match.
-func (h *Server) maybeUnlockKeystore(ctx context.Context, username, password string, userinfo *auth.UserInfo) (bool, error) {
+func (h *Server) maybeUnlockKeystore(ctx context.Context, username, password string, userinfo *auth.UserInfo) (bool, string, error) {
 	if h.keystore == nil {
-		return false, nil
+		return false, "", nil
 	}
 
 	if len(h.keystoreGroups) > 0 {
 		if userinfo == nil {
-			return false, nil
+			return false, "", nil
 		}
 		if !inAnyGroups(userinfo.Groups, h.keystoreGroups) {
-			return false, nil
+			return false, "", nil
 		}
 	}
 
@@ -209,7 +209,7 @@ func (h *Server) maybeUnlockKeystore(ctx context.Context, username, password str
 
 	// Add a 'grace time' of 30 minutes to the key ttl.
 	ttl := h.authSessionLifetime + 1800
-	return true, h.keystore.Open(ctx, shard, username, password, ttl)
+	return true, shard, h.keystore.Open(ctx, shard, username, password, ttl)
 }
 
 // Callback called by the login handler whenever a user successfully
@@ -217,14 +217,18 @@ func (h *Server) maybeUnlockKeystore(ctx context.Context, username, password str
 func (h *Server) loginCallback(ctx context.Context, username, password string, userinfo *auth.UserInfo) error {
 	// Open the keystore for this user, with the same password
 	// used to authenticate.
-	decrypted, err := h.maybeUnlockKeystore(ctx, username, password, userinfo)
+	decrypted, shard, err := h.maybeUnlockKeystore(ctx, username, password, userinfo)
 	if err != nil {
 		return fmt.Errorf("failed to unlock keystore for user %s: %v", username, err)
 	}
 
 	var kmsg string
 	if decrypted {
-		kmsg = " (key unlocked)"
+		kmsg = " (key unlocked"
+		if shard != "" {
+			kmsg += fmt.Sprintf(", shard %s", shard)
+		}
+		kmsg += ")"
 	}
 	log.Printf("successful login for user %s%s", username, kmsg)
 	return nil