diff --git a/java/google/registry/keyring/kms/KmsConnection.java b/java/google/registry/keyring/kms/KmsConnection.java
index c508a8f3b..593de8493 100644
--- a/java/google/registry/keyring/kms/KmsConnection.java
+++ b/java/google/registry/keyring/kms/KmsConnection.java
@@ -14,7 +14,7 @@
 
 package google.registry.keyring.kms;
 
-import java.io.IOException;
+import google.registry.keyring.api.KeyringException;
 
 /** An abstraction to simplify Cloud KMS operations. */
 interface KmsConnection {
@@ -34,9 +34,15 @@ interface KmsConnection {
    * {@code MAX_SECRET_SIZE_BYTES}.
    *
    * <p>If no applicable CryptoKey or CryptoKeyVersion exist, they will be created.
+   *
+   * @throws KeyringException on encryption failure.
    */
-  EncryptResponse encrypt(String cryptoKeyName, byte[] plaintext) throws IOException;
+  EncryptResponse encrypt(String cryptoKeyName, byte[] plaintext);
 
-  /** Decrypts a Cloud KMS encrypted and encoded value with CryptoKey {@code cryptoKeyName}. */
-  byte[] decrypt(String cryptoKeyName, String encodedCiphertext) throws IOException;
+  /**
+   * Decrypts a Cloud KMS encrypted and encoded value with CryptoKey {@code cryptoKeyName}.
+   *
+   * @throws KeyringException on decryption failure.
+   */
+  byte[] decrypt(String cryptoKeyName, String encodedCiphertext);
 }
diff --git a/java/google/registry/keyring/kms/KmsConnectionImpl.java b/java/google/registry/keyring/kms/KmsConnectionImpl.java
index e51d409f8..d4b469e99 100644
--- a/java/google/registry/keyring/kms/KmsConnectionImpl.java
+++ b/java/google/registry/keyring/kms/KmsConnectionImpl.java
@@ -57,11 +57,20 @@ class KmsConnectionImpl implements KmsConnection {
   }
 
   @Override
-  public EncryptResponse encrypt(String cryptoKeyName, byte[] value) throws IOException {
+  public EncryptResponse encrypt(String cryptoKeyName, byte[] value) {
     checkArgument(
         value.length <= MAX_SECRET_SIZE_BYTES,
         "Value to encrypt was larger than %s bytes",
         MAX_SECRET_SIZE_BYTES);
+    try {
+      return attemptEncrypt(cryptoKeyName, value);
+    } catch (IOException e) {
+      throw new KeyringException(
+          String.format("CloudKMS encrypt operation failed for secret %s", cryptoKeyName), e);
+    }
+  }
+
+  private EncryptResponse attemptEncrypt(String cryptoKeyName, byte[] value) throws IOException {
     String fullKeyRingName = getKeyRingName(projectId, kmsKeyRingName);
     try {
       kms.projects().locations().keyRings().get(fullKeyRingName).execute();
@@ -143,7 +152,7 @@ class KmsConnectionImpl implements KmsConnection {
     }
   }
 
-  private byte[] attemptDecrypt(String cryptoKeyName, String encodedCiphertext) throws IOException{
+  private byte[] attemptDecrypt(String cryptoKeyName, String encodedCiphertext) throws IOException {
     return kms.projects()
         .locations()
         .keyRings()
diff --git a/java/google/registry/keyring/kms/KmsKeyring.java b/java/google/registry/keyring/kms/KmsKeyring.java
index 11efeb8bc..d4e4a9e89 100644
--- a/java/google/registry/keyring/kms/KmsKeyring.java
+++ b/java/google/registry/keyring/kms/KmsKeyring.java
@@ -192,7 +192,7 @@ public class KmsKeyring implements Keyring {
 
     try {
       return kmsConnection.decrypt(secret.getName(), encryptedData);
-    } catch (IOException e) {
+    } catch (Exception e) {
       throw new KeyringException(
           String.format("CloudKMS decrypt operation failed for secret %s", keyName), e);
     }
diff --git a/javatests/google/registry/keyring/kms/FakeKmsConnection.java b/javatests/google/registry/keyring/kms/FakeKmsConnection.java
index 24e0fffa8..5508b417f 100644
--- a/javatests/google/registry/keyring/kms/FakeKmsConnection.java
+++ b/javatests/google/registry/keyring/kms/FakeKmsConnection.java
@@ -15,7 +15,6 @@
 package google.registry.keyring.kms;
 
 import com.google.common.io.BaseEncoding;
-import java.io.IOException;
 import org.bouncycastle.util.Arrays;
 
 class FakeKmsConnection implements KmsConnection {
@@ -29,7 +28,7 @@ class FakeKmsConnection implements KmsConnection {
    * and the name of the cryptoKeyVersion is {@code cryptoKeyName + "/foo"}.
    */
   @Override
-  public EncryptResponse encrypt(String cryptoKeyName, byte[] plaintext) throws IOException {
+  public EncryptResponse encrypt(String cryptoKeyName, byte[] plaintext) {
     return EncryptResponse.create(
         BaseEncoding.base64().encode(Arrays.reverse(plaintext)), cryptoKeyName + "/foo");
   }
@@ -40,7 +39,7 @@ class FakeKmsConnection implements KmsConnection {
    * <p>The plaintext is the encodedCiphertext base64-decoded and then reversed.
    */
   @Override
-  public byte[] decrypt(String cryptoKeyName, String encodedCiphertext) throws IOException {
+  public byte[] decrypt(String cryptoKeyName, String encodedCiphertext) {
     return Arrays.reverse(BaseEncoding.base64().decode(encodedCiphertext));
   }
 }