diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope_test.go b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope_test.go
index 4f030772eb9..30cf553502a 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope_test.go
@@ -83,6 +83,7 @@ func TestEnvelopeCaching(t *testing.T) {
 		desc                     string
 		cacheSize                int
 		simulateKMSPluginFailure bool
+		expectedError            string
 	}{
 		{
 			desc:                     "positive cache size should withstand plugin failure",
@@ -90,8 +91,15 @@ func TestEnvelopeCaching(t *testing.T) {
 			simulateKMSPluginFailure: true,
 		},
 		{
-			desc:      "cache disabled size should not withstand plugin failure",
-			cacheSize: 0,
+			desc:                     "cache disabled size should not withstand plugin failure",
+			cacheSize:                0,
+			simulateKMSPluginFailure: true,
+			expectedError:            "Envelope service was disabled",
+		},
+		{
+			desc:                     "cache disabled, no plugin failure should succeed",
+			cacheSize:                0,
+			simulateKMSPluginFailure: false,
 		},
 	}
 
@@ -119,13 +127,21 @@ func TestEnvelopeCaching(t *testing.T) {
 			}
 
 			envelopeService.SetDisabledStatus(tt.simulateKMSPluginFailure)
-			// Subsequent read for the same data should work fine due to caching.
 			untransformedData, _, err = envelopeTransformer.TransformFromStorage(ctx, transformedData, dataCtx)
-			if err != nil {
-				t.Fatalf("could not decrypt Envelope transformer's encrypted data using just cache: %v", err)
-			}
-			if !bytes.Equal(untransformedData, originalText) {
-				t.Fatalf("envelopeTransformer transformed data incorrectly using cache. Got: %v, want %v", untransformedData, originalText)
+			if tt.expectedError != "" {
+				if err == nil {
+					t.Fatalf("expected error: %v, got nil", tt.expectedError)
+				}
+				if err.Error() != tt.expectedError {
+					t.Fatalf("expected error: %v, got: %v", tt.expectedError, err)
+				}
+			} else {
+				if err != nil {
+					t.Fatalf("unexpected error: %v", err)
+				}
+				if !bytes.Equal(untransformedData, originalText) {
+					t.Fatalf("envelopeTransformer transformed data incorrectly. Expected: %v, got %v", originalText, untransformedData)
+				}
 			}
 		})
 	}
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope_test.go b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope_test.go
index 2229444d9d0..869a8cd177f 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope_test.go
@@ -95,6 +95,7 @@ func TestEnvelopeCaching(t *testing.T) {
 		desc                     string
 		cacheSize                int
 		simulateKMSPluginFailure bool
+		expectedError            string
 	}{
 		{
 			desc:                     "positive cache size should withstand plugin failure",
@@ -102,8 +103,15 @@ func TestEnvelopeCaching(t *testing.T) {
 			simulateKMSPluginFailure: true,
 		},
 		{
-			desc:      "cache disabled size should not withstand plugin failure",
-			cacheSize: 0,
+			desc:                     "cache disabled size should not withstand plugin failure",
+			cacheSize:                0,
+			simulateKMSPluginFailure: true,
+			expectedError:            "failed to decrypt DEK, error: Envelope service was disabled",
+		},
+		{
+			desc:                     "cache disabled, no plugin failure should succeed",
+			cacheSize:                0,
+			simulateKMSPluginFailure: false,
 		},
 	}
 
@@ -131,13 +139,21 @@ func TestEnvelopeCaching(t *testing.T) {
 			}
 
 			envelopeService.SetDisabledStatus(tt.simulateKMSPluginFailure)
-			// Subsequent read for the same data should work fine due to caching.
 			untransformedData, _, err = envelopeTransformer.TransformFromStorage(ctx, transformedData, dataCtx)
-			if err != nil {
-				t.Fatalf("could not decrypt Envelope transformer's encrypted data using just cache: %v", err)
-			}
-			if !bytes.Equal(untransformedData, originalText) {
-				t.Fatalf("envelopeTransformer transformed data incorrectly using cache. Got: %v, want %v", untransformedData, originalText)
+			if tt.expectedError != "" {
+				if err == nil {
+					t.Fatalf("expected error: %v, got nil", tt.expectedError)
+				}
+				if err.Error() != tt.expectedError {
+					t.Fatalf("expected error: %v, got: %v", tt.expectedError, err)
+				}
+			} else {
+				if err != nil {
+					t.Fatalf("unexpected error: %v", err)
+				}
+				if !bytes.Equal(untransformedData, originalText) {
+					t.Fatalf("envelopeTransformer transformed data incorrectly. Expected: %v, got %v", originalText, untransformedData)
+				}
 			}
 		})
 	}