diff --git a/server/keystore.go b/server/keystore.go
index a84570ed8a8ef3be5e75dadb2f3fb9186396473e..4fad6dbfdd48d7e87b3f64707a86e0ace40f0ced 100644
--- a/server/keystore.go
+++ b/server/keystore.go
@@ -150,7 +150,7 @@ func (s *KeyStore) Open(ctx context.Context, username, password string, ttlSecon
 	}
 	if len(encKeys) == 0 {
 		// No keys found. Not an error.
-		return nil
+		return errNoKeys
 	}
 
 	// Naive and inefficient way of decrypting multiple keys: it
diff --git a/server/server.go b/server/server.go
index 681ca4816d126f2f0e01a0092d4c8b0fa99201a2..e65463b0d2fd9ab67bb18f37e23e89e19d4f2e8e 100644
--- a/server/server.go
+++ b/server/server.go
@@ -22,13 +22,16 @@ func (s *keyStoreServer) handleOpen(w http.ResponseWriter, r *http.Request) {
 	}
 
 	err := s.KeyStore.Open(r.Context(), req.Username, req.Password, req.TTL)
-	if err != nil {
+	if err == errNoKeys {
+		log.Printf("no keys found for %s", req.Username)
+	} else if err != nil {
 		log.Printf("Open(%s) error: %v", req.Username, err)
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
+	} else {
+		log.Printf("decrypted key for %s, ttl=%d", req.Username, req.TTL)
 	}
 
-	log.Printf("decrypted key for %s, ttl=%d", req.Username, req.TTL)
 	serverutil.EncodeJSONResponse(w, &emptyResponse)
 }