--- a/cmds/fleet/src/host.rs
+++ b/cmds/fleet/src/host.rs
@@ -130,7 +130,7 @@
 			.await
 			.context("failed to call remote host for decrypt")?;
 		let data: SecretData = encoded.parse().map_err(|e| anyhow!("{e}"))?;
-		ensure!(!data.encrypted, "didn't decrypted secret");
+		ensure!(!data.encrypted, "secret came out encrypted");
 		Ok(data.data)
 	}
 	pub async fn reencrypt(&self, data: SecretData, targets: Vec<String>) -> Result<SecretData> {
@@ -147,7 +147,7 @@
 			.await
 			.context("failed to call remote host for decrypt")?;
 		let data: SecretData = encoded.parse().map_err(|e| anyhow!("{e}"))?;
-		ensure!(!data.encrypted, "didn't decrypted secret");
+		ensure!(data.encrypted, "secret came out not encrypted");
 		Ok(data)
 	}
 	/// Returns path for futureproofing, as path might change i.e on conversion to CA
--- a/nixos/secrets.nix
+++ b/nixos/secrets.nix
@@ -5,7 +5,7 @@
   ...
 }:
 with lib; let
-  inherit (lib.strings) hasPrefix stripPrefix;
+  inherit (lib.strings) hasPrefix removePrefix;
   plaintextPrefix = "<PLAINTEXT>";
   plaintextNewlinePrefix = "<PLAINTEXT-NL>";
 
@@ -40,9 +40,9 @@
         hash = mkOptionDefault (builtins.hashString "sha1" config.raw);
         data = mkOptionDefault (
           if hasPrefix plaintextPrefix config.raw
-          then stripPrefix plaintextPrefix config.raw
+          then removePrefix plaintextPrefix config.raw
           else if hasPrefix plaintextNewlinePrefix config.raw
-          then stripPrefix plaintextNewlinePrefix config.raw
+          then removePrefix plaintextNewlinePrefix config.raw
           else throw "secret.part.data attribute only works for public plaintext secret parts, got ${config.raw}"
         );
         path = mkOptionDefault "/run/secrets/${secretName}/${config.hash}-${partName}";