diff --git a/internal/journal/voljournal.go b/internal/journal/voljournal.go
index 988bf71cc..286d84658 100644
--- a/internal/journal/voljournal.go
+++ b/internal/journal/voljournal.go
@@ -383,11 +383,13 @@ func (conn *Connection) CheckReservation(ctx context.Context,
 		}
 	}
 
-	if encryptionType != util.EncryptionTypeInvalid {
+	if encryptionType != util.EncryptionTypeNone {
 		if savedImageAttributes.EncryptionType != encryptionType {
 			return nil, fmt.Errorf("internal state inconsistent, omap encryption type"+
-				" mismatch, request KMS (%s) volume UUID (%s) volume omap KMS (%d)",
-				kmsConfig, objUUID, savedImageAttributes.EncryptionType)
+				" mismatch, request type %q(%d) volume UUID (%s) volume omap encryption type %q (%d)",
+				util.EncryptionTypeString(encryptionType), encryptionType,
+				objUUID, util.EncryptionTypeString(savedImageAttributes.EncryptionType),
+				savedImageAttributes.EncryptionType)
 		}
 	}
 
diff --git a/internal/util/crypto.go b/internal/util/crypto.go
index 2489ab014..9eb67a1db 100644
--- a/internal/util/crypto.go
+++ b/internal/util/crypto.go
@@ -83,17 +83,29 @@ func FetchEncryptionKMSID(encrypted, kmsID string) (string, error) {
 type EncryptionType int
 
 const (
+	// EncryptionTypeInvalid signals invalid or unsupported configuration.
 	EncryptionTypeInvalid EncryptionType = iota
-	EncryptionTypeBlock                  = iota
-	EncryptionTypeFile                   = iota
+	// EncryptionTypeNone disables encryption.
+	EncryptionTypeNone
+	// EncryptionTypeBlock enables block encryption.
+	EncryptionTypeBlock
+	// EncryptionTypeBlock enables file encryption (fscrypt).
+	EncryptionTypeFile
+)
+
+const (
+	encryptionTypeBlockString = "block"
+	encryptionTypeFileString  = "file"
 )
 
 func ParseEncryptionType(typeStr string) EncryptionType {
 	switch typeStr {
-	case "block":
+	case encryptionTypeBlockString:
 		return EncryptionTypeBlock
-	case "file":
+	case encryptionTypeFileString:
 		return EncryptionTypeFile
+	case "":
+		return EncryptionTypeNone
 	default:
 		return EncryptionTypeInvalid
 	}
@@ -102,13 +114,15 @@ func ParseEncryptionType(typeStr string) EncryptionType {
 func EncryptionTypeString(encType EncryptionType) string {
 	switch encType {
 	case EncryptionTypeBlock:
-		return "block"
+		return encryptionTypeBlockString
 	case EncryptionTypeFile:
-		return "file"
+		return encryptionTypeFileString
+	case EncryptionTypeNone:
+		return ""
 	case EncryptionTypeInvalid:
-		return ""
+		return "INVALID"
 	default:
-		return ""
+		return "UNKNOWN"
 	}
 }
 
@@ -121,6 +135,10 @@ func FetchEncryptionType(volOptions map[string]string, fallback EncryptionType)
 		return fallback
 	}
 
+	if encType == "" {
+		return EncryptionTypeInvalid
+	}
+
 	return ParseEncryptionType(encType)
 }
 
diff --git a/internal/util/crypto_test.go b/internal/util/crypto_test.go
index a5bb49da6..f4f0f5716 100644
--- a/internal/util/crypto_test.go
+++ b/internal/util/crypto_test.go
@@ -63,3 +63,34 @@ func TestKMSWorkflow(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, secrets["encryptionPassphrase"], passphrase)
 }
+
+func TestEncryptionType(t *testing.T) {
+	t.Parallel()
+	assert.EqualValues(t, EncryptionTypeInvalid, ParseEncryptionType("wat?"))
+	assert.EqualValues(t, EncryptionTypeInvalid, ParseEncryptionType("both"))
+	assert.EqualValues(t, EncryptionTypeInvalid, ParseEncryptionType("file,block"))
+	assert.EqualValues(t, EncryptionTypeInvalid, ParseEncryptionType("block,file"))
+	assert.EqualValues(t, EncryptionTypeBlock, ParseEncryptionType("block"))
+	assert.EqualValues(t, EncryptionTypeFile, ParseEncryptionType("file"))
+	assert.EqualValues(t, EncryptionTypeNone, ParseEncryptionType(""))
+
+	for _, s := range []string{"file", "block", ""} {
+		assert.EqualValues(t, s, EncryptionTypeString(ParseEncryptionType(s)))
+	}
+}
+
+func TestFetchEncryptionType(t *testing.T) {
+	t.Parallel()
+	volOpts := map[string]string{}
+	assert.EqualValues(t, EncryptionTypeBlock, FetchEncryptionType(volOpts, EncryptionTypeBlock))
+	assert.EqualValues(t, EncryptionTypeFile, FetchEncryptionType(volOpts, EncryptionTypeFile))
+	assert.EqualValues(t, EncryptionTypeNone, FetchEncryptionType(volOpts, EncryptionTypeNone))
+	volOpts["encryptionType"] = ""
+	assert.EqualValues(t, EncryptionTypeInvalid, FetchEncryptionType(volOpts, EncryptionTypeNone))
+	volOpts["encryptionType"] = "block"
+	assert.EqualValues(t, EncryptionTypeBlock, FetchEncryptionType(volOpts, EncryptionTypeNone))
+	volOpts["encryptionType"] = "file"
+	assert.EqualValues(t, EncryptionTypeFile, FetchEncryptionType(volOpts, EncryptionTypeNone))
+	volOpts["encryptionType"] = "INVALID"
+	assert.EqualValues(t, EncryptionTypeInvalid, FetchEncryptionType(volOpts, EncryptionTypeNone))
+}