diff --git a/encryption-service-vault/build.gradle b/encryption-service-vault/build.gradle
index adb4800..0d83ae6 100644
--- a/encryption-service-vault/build.gradle
+++ b/encryption-service-vault/build.gradle
@@ -1,6 +1,6 @@
 coppuccino {
   coverage {
-    minimumCoverage = 0.89
+    minimumCoverage = 0.88
   }
   dependencies {
     excludePreReleaseVersions = false
diff --git a/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java b/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java
index b0a4179..326049b 100644
--- a/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java
+++ b/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java
@@ -324,6 +324,10 @@ private void validateVaultAuthenticationResponse(VaultResponse response, String
   @SuppressWarnings("checkstyle:MagicNumber")
   private void validateVaultOperationResponse(VaultResponse response, String errorMessage) {
     if (response != null && response.getRestResponse() != null && (response.getRestResponse().getStatus() < 200 || response.getRestResponse().getStatus() >= 300)) {
+      byte[] body = response.getRestResponse().getBody();
+      if (body != null) {
+        throw new VaultEncryptionOperationException(errorMessage + " (" + response.getRestResponse().getStatus() + "): " + new String(body, StandardCharsets.UTF_8));
+      }
       throw new VaultEncryptionOperationException(errorMessage + " (" + response.getRestResponse().getStatus() + ")");
     }
   }
diff --git a/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy b/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy
index c4724a3..06c441d 100644
--- a/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy
+++ b/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy
@@ -17,8 +17,10 @@ import com.bettercloud.vault.api.Auth
 import com.bettercloud.vault.api.Logical
 import com.bettercloud.vault.response.AuthResponse
 import com.bettercloud.vault.response.LogicalResponse
+import com.bettercloud.vault.response.VaultResponse
 import com.bettercloud.vault.rest.RestResponse
 import com.google.common.collect.ImmutableMap
+import com.mx.path.core.common.accessor.PathResponseStatus
 
 import spock.lang.Specification
 import spock.lang.Unroll
@@ -659,4 +661,21 @@ class VaultEncryptionServiceTest extends Specification {
     then:
     subject.getConfiguration() == config
   }
+
+  def "validateVaultOperationResponse throws exception"() {
+    given:
+    subject = new VaultEncryptionService(configWithAppId())
+    subject.setDriver(vaultDriver)
+
+    def decryptResponse = new LogicalResponse(new RestResponse(400, "mimeType", "bad response".getBytes()), 2, null)
+    when(logicalDriver.write(eq("transit/decrypt/test-key"), any())).thenReturn(decryptResponse)
+
+    when:
+    subject.decrypt("vault-12345")
+
+    then:
+    def ex = thrown(VaultEncryptionOperationException)
+    ex.status == PathResponseStatus.INTERNAL_ERROR
+    ex.message == "Vault decrypt failed (400): bad response"
+  }
 }