diff --git a/src/aws_encryption_sdk/internal/crypto/wrapping_keys.py b/src/aws_encryption_sdk/internal/crypto/wrapping_keys.py
index 91f9fd834..da9bc9b6b 100644
--- a/src/aws_encryption_sdk/internal/crypto/wrapping_keys.py
+++ b/src/aws_encryption_sdk/internal/crypto/wrapping_keys.py
@@ -98,9 +98,12 @@ def decrypt(self, encrypted_wrapped_data_key, encryption_context):
         if self.wrapping_key_type is EncryptionKeyType.PUBLIC:
             raise IncorrectMasterKeyError("Public key cannot decrypt")
         if self.wrapping_key_type is EncryptionKeyType.PRIVATE:
-            return self._wrapping_key.decrypt(
-                ciphertext=encrypted_wrapped_data_key.ciphertext, padding=self.wrapping_algorithm.padding
-            )
+            try:
+                return self._wrapping_key.decrypt(
+                    ciphertext=encrypted_wrapped_data_key.ciphertext, padding=self.wrapping_algorithm.padding
+                )
+            except ValueError:
+                raise IncorrectMasterKeyError("_wrapping_key cannot decrypt provided ciphertext")
         serialized_encryption_context = serialize_encryption_context(encryption_context=encryption_context)
         return decrypt(
             algorithm=self.wrapping_algorithm.algorithm,