diff --git a/lib/config.js b/lib/config.js
index 1c3fcd6..8d76a78 100644
--- a/lib/config.js
+++ b/lib/config.js
@@ -40,10 +40,10 @@ function Config(options) {
       throw new Error("encryptionMasterKey must be a string")
     }
     if (options.encryptionMasterKey.length !== 32) {
+      // Security: never include the key value in the error message — the key is a
+      // secret and error messages can propagate to logs, error trackers, or HTTP responses.
       throw new Error(
-        "encryptionMasterKey must be 32 bytes long, but the string '" +
-          options.encryptionMasterKey +
-          "' is " +
+        "encryptionMasterKey must be 32 bytes long, but the provided key is " +
           options.encryptionMasterKey.length +
           " bytes long"
       )
@@ -63,10 +63,10 @@ function Config(options) {
 
     const decodedKey = Buffer.from(options.encryptionMasterKeyBase64, "base64")
     if (decodedKey.length !== 32) {
+      // Security: never include the key value in the error message — the key is a
+      // secret and error messages can propagate to logs, error trackers, or HTTP responses.
       throw new Error(
-        "encryptionMasterKeyBase64 must decode to 32 bytes, but the string " +
-          options.encryptionMasterKeyBase64 +
-          "' decodes to " +
+        "encryptionMasterKeyBase64 must decode to 32 bytes, but the provided key decodes to " +
           decodedKey.length +
           " bytes"
       )