diff --git a/bin/disinto b/bin/disinto
index eed7b80..abf6b85 100755
--- a/bin/disinto
+++ b/bin/disinto
@@ -72,6 +72,7 @@ ensure_age_key() {
 
   if [ -f "$key_file" ]; then
     AGE_PUBLIC_KEY="$(age-keygen -y "$key_file" 2>/dev/null)"
+    [ -n "$AGE_PUBLIC_KEY" ] || return 1
     export AGE_PUBLIC_KEY
     return 0
   fi
@@ -84,6 +85,7 @@ ensure_age_key() {
   age-keygen -o "$key_file" 2>/dev/null
   chmod 600 "$key_file"
   AGE_PUBLIC_KEY="$(age-keygen -y "$key_file" 2>/dev/null)"
+  [ -n "$AGE_PUBLIC_KEY" ] || return 1
   export AGE_PUBLIC_KEY
   echo "Generated age key: ${key_file}"
 }
@@ -106,7 +108,6 @@ encrypt_env_file() {
 }
 
 # Store secrets into .env.enc (encrypted) if SOPS + age available, else .env (plaintext).
-# Reads existing .env, updates/adds vars, writes back.
 write_secrets_encrypted() {
   local env_file="${FACTORY_ROOT}/.env"
   local enc_file="${FACTORY_ROOT}/.env.enc"
diff --git a/lib/env.sh b/lib/env.sh
index 0c66282..f1b0bc8 100755
--- a/lib/env.sh
+++ b/lib/env.sh
@@ -10,7 +10,8 @@ FACTORY_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 # Load secrets: prefer .env.enc (SOPS-encrypted), fall back to plaintext .env
 if [ -f "$FACTORY_ROOT/.env.enc" ] && command -v sops &>/dev/null; then
   set -a
-  eval "$(sops -d --output-type dotenv "$FACTORY_ROOT/.env.enc" 2>/dev/null)" || true
+  eval "$(sops -d --output-type dotenv "$FACTORY_ROOT/.env.enc" 2>/dev/null)" \
+    || echo "Warning: failed to decrypt .env.enc — secrets not loaded" >&2
   set +a
 elif [ -f "$FACTORY_ROOT/.env" ]; then
   set -a