diff --git a/internal/pkg/service/common/dependencies/encryption.go b/internal/pkg/service/common/dependencies/encryption.go
index ba13eede6d..f1a5acf755 100644
--- a/internal/pkg/service/common/dependencies/encryption.go
+++ b/internal/pkg/service/common/dependencies/encryption.go
@@ -27,7 +27,7 @@ func newEncryptionScope(ctx context.Context, cfg encryption.Config, d encryption
 	ctx, span := d.Telemetry().Tracer().Start(ctx, "keboola.go.common.dependencies.NewEncryptionScope")
 	defer span.End(&err)
 
-	encryptor, err := encryption.NewEncryptor(ctx, cfg)
+	encryptor, err := encryption.NewEncryptor(ctx, cfg, d.Logger())
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/pkg/service/stream/encryption/encryption.go b/internal/pkg/service/stream/encryption/encryption.go
index c738d0e9e7..5f9455633e 100644
--- a/internal/pkg/service/stream/encryption/encryption.go
+++ b/internal/pkg/service/stream/encryption/encryption.go
@@ -4,6 +4,8 @@ import (
 	"context"
 
 	"github.com/keboola/go-cloud-encrypt/pkg/cloudencrypt"
+
+	"github.com/keboola/keboola-as-code/internal/pkg/log"
 )
 
 const (
@@ -16,7 +18,7 @@ const (
 
 type Provider string
 
-func NewEncryptor(ctx context.Context, config Config) (cloudencrypt.Encryptor, error) {
+func NewEncryptor(ctx context.Context, config Config, logger log.Logger) (cloudencrypt.Encryptor, error) {
 	var encryptor cloudencrypt.Encryptor
 	var err error
 
@@ -47,6 +49,11 @@ func NewEncryptor(ctx context.Context, config Config) (cloudencrypt.Encryptor, e
 		}
 	}
 
+	encryptor, err = NewLoggedEncryptor(ctx, encryptor, logger)
+	if err != nil {
+		return nil, err
+	}
+
 	encryptor, err = cloudencrypt.NewDualEncryptor(ctx, encryptor)
 	if err != nil {
 		return nil, err
diff --git a/internal/pkg/service/stream/encryption/log.go b/internal/pkg/service/stream/encryption/log.go
new file mode 100644
index 0000000000..819895cbce
--- /dev/null
+++ b/internal/pkg/service/stream/encryption/log.go
@@ -0,0 +1,50 @@
+package encryption
+
+import (
+	"context"
+
+	"github.com/keboola/go-cloud-encrypt/pkg/cloudencrypt"
+
+	"github.com/keboola/keboola-as-code/internal/pkg/log"
+)
+
+// LoggedEncryptor wraps another Encryptor and adds logging.
+type LoggedEncryptor struct {
+	encryptor cloudencrypt.Encryptor
+	logger    log.Logger
+}
+
+func NewLoggedEncryptor(ctx context.Context, encryptor cloudencrypt.Encryptor, logger log.Logger) (*LoggedEncryptor, error) {
+	return &LoggedEncryptor{
+		encryptor: encryptor,
+		logger:    logger,
+	}, nil
+}
+
+func (encryptor *LoggedEncryptor) Encrypt(ctx context.Context, plaintext []byte, metadata cloudencrypt.Metadata) ([]byte, error) {
+	encryptedValue, err := encryptor.encryptor.Encrypt(ctx, plaintext, metadata)
+	if err != nil {
+		encryptor.logger.Infof(ctx, "encryption error: %s", err.Error())
+		return nil, err
+	}
+
+	encryptor.logger.Info(ctx, "encryption success")
+
+	return encryptedValue, nil
+}
+
+func (encryptor *LoggedEncryptor) Decrypt(ctx context.Context, ciphertext []byte, metadata cloudencrypt.Metadata) ([]byte, error) {
+	plaintext, err := encryptor.encryptor.Decrypt(ctx, ciphertext, metadata)
+	if err != nil {
+		encryptor.logger.Infof(ctx, "decryption error: %s", err.Error())
+		return nil, err
+	}
+
+	encryptor.logger.Info(ctx, "decryption success")
+
+	return plaintext, nil
+}
+
+func (encryptor *LoggedEncryptor) Close() error {
+	return encryptor.encryptor.Close()
+}