diff --git a/pkg/secrethub/client.go b/pkg/secrethub/client.go
index 14bbc2f8..d175ecec 100644
--- a/pkg/secrethub/client.go
+++ b/pkg/secrethub/client.go
@@ -121,11 +121,11 @@ func (i AppInfo) ValidateName() error {
 // If no key credential could be found, a Client is returned that can only be used for unauthenticated routes.
 func NewClient(with ...ClientOption) (*Client, error) {
 	client := &Client{
-		httpClient:              http.NewClient(),
-		repoIndexKeys:           make(map[api.RepoPath]*crypto.SymmetricKey),
-		appInfo:                 []*AppInfo{},
-		defaultPassphraseReader: credentials.FromEnv("SECRETHUB_CREDENTIAL_PASSPHRASE"),
+		httpClient:    http.NewClient(),
+		repoIndexKeys: make(map[api.RepoPath]*crypto.SymmetricKey),
+		appInfo:       []*AppInfo{},
 	}
+
 	err := client.with(with...)
 	if err != nil {
 		return nil, err
@@ -157,26 +157,12 @@ func NewClient(with ...ClientOption) (*Client, error) {
 		}
 
 		err := client.with(WithCredentials(provider))
-		// nolint: staticcheck
 		if err != nil {
-			// TODO: log that default credential was not loaded.
-			// Do go on because we want to allow an unauthenticated client.
-		}
-	}
-
-	appName := os.Getenv("SECRETHUB_APP_INFO_NAME")
-	if appName != "" {
-		appVersion := os.Getenv("SECRETHUB_APP_INFO_VERSION")
-		topLevelAppInfo := &AppInfo{
-			Name:    appName,
-			Version: appVersion,
-		}
-		// Ignore app info from environment variable if name is invalid
-		if err = topLevelAppInfo.ValidateName(); err == nil {
-			client.appInfo = append(client.appInfo, topLevelAppInfo)
+			return nil, err
 		}
 	}
 
+	client.loadAppInfoFromEnv()
 	userAgent := client.userAgent()
 
 	client.httpClient.Options(http.WithUserAgent(userAgent))
@@ -288,6 +274,21 @@ func (c *Client) isKeyed() bool {
 	return c.decrypter != nil
 }
 
+func (c *Client) loadAppInfoFromEnv() {
+	appName := os.Getenv("SECRETHUB_APP_INFO_NAME")
+	if appName != "" {
+		appVersion := os.Getenv("SECRETHUB_APP_INFO_VERSION")
+		topLevelAppInfo := &AppInfo{
+			Name:    appName,
+			Version: appVersion,
+		}
+		// Ignore app info from environment variable if name is invalid
+		if err := topLevelAppInfo.ValidateName(); err == nil {
+			c.appInfo = append(c.appInfo, topLevelAppInfo)
+		}
+	}
+}
+
 func (c *Client) userAgent() string {
 	userAgent := userAgentPrefix
 	for _, info := range c.appInfo {
diff --git a/pkg/secrethub/client_test.go b/pkg/secrethub/client_test.go
index 3b924356..a31477a9 100644
--- a/pkg/secrethub/client_test.go
+++ b/pkg/secrethub/client_test.go
@@ -62,11 +62,11 @@ func TestClient_userAgent(t *testing.T) {
 			for _, info := range tc.appInfo {
 				opts = append(opts, WithAppInfo(info))
 			}
-			client, err := NewClient(opts...)
+			client := &Client{}
+			err := client.with(opts...)
 			assert.Equal(t, err, tc.err)
-			if err != nil {
-				return
-			}
+
+			client.loadAppInfoFromEnv()
 
 			userAgent := client.userAgent()
 			pattern := tc.expected + " \\(.*\\)"
diff --git a/pkg/secrethub/credentials/key.go b/pkg/secrethub/credentials/key.go
index 23e039d9..4139d8d0 100644
--- a/pkg/secrethub/credentials/key.go
+++ b/pkg/secrethub/credentials/key.go
@@ -85,6 +85,9 @@ func ImportKey(credentialReader, passphraseReader Reader) (Key, error) {
 		if envPassphrase != "" {
 			credential, err := decryptKey([]byte(envPassphrase), encoded)
 			if err != nil {
+				if crypto.IsWrongKey(err) {
+					err = ErrCannotDecryptCredential
+				}
 				return Key{}, fmt.Errorf("decrypting credential with passphrase read from $%s: %v", credentialPassphraseEnvVar, err)
 			}
 			return Key{key: credential}, nil