diff --git a/config/production.env b/config/production.env
index 24435f7c..602e2113 100644
--- a/config/production.env
+++ b/config/production.env
@@ -10,7 +10,7 @@ NYPL_OAUTH_URL=https://isso.nypl.org/
 ENCRYPTED_NYPL_OAUTH_ID=AQECAHh7ea2tyZ6phZgT4B9BDKwguhlFtRC6hgt+7HbmeFsrsgAAAGswaQYJKoZIhvcNAQcGoFwwWgIBADBVBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDMLKVUQA58B6vprNcAIBEIAoaz0lI9EL2M9NyTuEwT8JDmPBt6aXfMiFs027DEuwsCN0wS0qWeFL1g==
 ENCRYPTED_NYPL_OAUTH_SECRET=AQECAHh7ea2tyZ6phZgT4B9BDKwguhlFtRC6hgt+7HbmeFsrsgAAAIcwgYQGCSqGSIb3DQEHBqB3MHUCAQAwcAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAyWz91LOP2YP5fg0q0CARCAQ9inO9SV1M8R0Pkkx84r7UdwlU1FxfXvIjk/z6Qs81KBAVELhby2iD5LawQyDrR9tjhuMbotS6QnydwwMR/p8+qJXHI=
 
-NYPL_CORE_VERSION=v2.24
+NYPL_CORE_VERSION=v2.25
 
 LOG_LEVEL=info
 FEATURES=on-site-edd
diff --git a/config/qa.env b/config/qa.env
index f27a0361..01e6e867 100644
--- a/config/qa.env
+++ b/config/qa.env
@@ -10,9 +10,9 @@ NYPL_OAUTH_URL=https://isso.nypl.org/
 ENCRYPTED_NYPL_OAUTH_ID=AQECAHh7ea2tyZ6phZgT4B9BDKwguhlFtRC6hgt+7HbmeFsrsgAAAGswaQYJKoZIhvcNAQcGoFwwWgIBADBVBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDMLKVUQA58B6vprNcAIBEIAoaz0lI9EL2M9NyTuEwT8JDmPBt6aXfMiFs027DEuwsCN0wS0qWeFL1g==
 ENCRYPTED_NYPL_OAUTH_SECRET=AQECAHh7ea2tyZ6phZgT4B9BDKwguhlFtRC6hgt+7HbmeFsrsgAAAIcwgYQGCSqGSIb3DQEHBqB3MHUCAQAwcAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAyWz91LOP2YP5fg0q0CARCAQ9inO9SV1M8R0Pkkx84r7UdwlU1FxfXvIjk/z6Qs81KBAVELhby2iD5LawQyDrR9tjhuMbotS6QnydwwMR/p8+qJXHI=
 
-NYPL_CORE_VERSION=v2.24
+NYPL_CORE_VERSION=v2.25
 
-LOG_LEVEL=info
+LOG_LEVEL=debug
 FEATURES=on-site-edd
 
 SEARCH_ITEMS_SIZE=3
diff --git a/lib/kms-helper.js b/lib/kms-helper.js
index a320e290..81cfd762 100644
--- a/lib/kms-helper.js
+++ b/lib/kms-helper.js
@@ -1,4 +1,5 @@
 const { KMSClient, DecryptCommand } = require('@aws-sdk/client-kms')
+const logger = require('./logger')
 
 let awsCredentials
 
@@ -16,6 +17,7 @@ async function decrypt (encrypted) {
   // Use credentials if given (local invocations). Otherwise rely on
   // environment (deployed code):
   if (awsCredentials) {
+    logger.debug('KMS decrypt using local AWS credentials')
     config.credentials = awsCredentials
   }
   const client = new KMSClient(config)
diff --git a/lib/load-config.js b/lib/load-config.js
index e0915171..bce305c1 100644
--- a/lib/load-config.js
+++ b/lib/load-config.js
@@ -57,7 +57,7 @@ module.exports.decryptEncryptedConfig = () => {
         const keyWithoutPrefix = key.replace(/^ENCRYPTED_/, '')
         const decrypted = await decrypt(process.env[key])
           .catch((e) => {
-            logger.error(`Load-config: Failed to decrypt ${key}`)
+            logger.error(`Load-config: Failed to decrypt ${key}: ${e}`)
           })
         logger.debug(`Load-config: Decrypted ${key}`)
         process.env[keyWithoutPrefix] = decrypted