diff --git a/cli/pkg/secrets/secret.go b/cli/pkg/secrets/secret.go
index 155c114d57..003755ca76 100644
--- a/cli/pkg/secrets/secret.go
+++ b/cli/pkg/secrets/secret.go
@@ -22,6 +22,7 @@ func IsRunningInContainer() bool {
 const (
 	secretService = "ente"
 	secretUser    = "ente-cli-user"
+	keyLength     = 32
 )
 
 func GetOrCreateClISecret() []byte {
@@ -30,7 +31,6 @@ func GetOrCreateClISecret() []byte {
 
 	if err != nil {
 		if !errors.Is(err, keyring.ErrNotFound) {
-
 			if secretsFile := os.Getenv("ENTE_CLI_SECRETS_PATH"); secretsFile != "" {
 				return GetSecretFromSecretText(secretsFile)
 			}
@@ -40,7 +40,7 @@ func GetOrCreateClISecret() []byte {
 				log.Fatal(fmt.Errorf("error getting password from keyring: %w", err))
 			}
 		}
-		key := make([]byte, 32)
+		key := make([]byte, keyLength)
 		_, err = rand.Read(key)
 		if err != nil {
 			log.Fatal(fmt.Errorf("error generating key: %w", err))
@@ -54,13 +54,13 @@ func GetOrCreateClISecret() []byte {
 	}
 	// Try to decode the secret as base64
 	decodedSecret, err := base64.StdEncoding.DecodeString(secret)
-	if err == nil && len(decodedSecret) == 32 {
+	if err == nil && len(decodedSecret) == keyLength {
 		// If successful and the length is correct, return the decoded secret
 		return decodedSecret
 	}
 	// If decoding fails or the length is incorrect, treat it as a legacy key
 	legacySecret := []byte(secret)
-	if len(legacySecret) != 32 {
+	if len(legacySecret) != keyLength {
 		// See https://github.com/ente-io/ente/issues/1510#issuecomment-2331676096 for more information
 		log.Println("Warning: Existing key is not 32 bytes. Deleting it")
 		delErr := keyring.Delete(secretService, secretUser)
@@ -71,12 +71,12 @@ func GetOrCreateClISecret() []byte {
 			return GetOrCreateClISecret()
 		}
 	}
-	// If it's a 32-byte legacy key, return it as-is
+	// If it's a keyLength-byte legacy key, return it as-is
 	return legacySecret
 }
 
 // GetSecretFromSecretText reads the scecret from the secret text file.
-// If the file does not exist, it will be created and write random 32 byte secret to it.
+// If the file does not exist, it will be created and write random keyLength bytes secret to it.
 func GetSecretFromSecretText(secretFilePath string) []byte {
 
 	// Check if file exists
@@ -86,7 +86,7 @@ func GetSecretFromSecretText(secretFilePath string) []byte {
 			log.Fatal(fmt.Errorf("error checking secret file: %w", err))
 		}
 		// File does not exist; create and write a random 32-byte secret
-		key := make([]byte, 32)
+		key := make([]byte, keyLength)
 		_, err := rand.Read(key)
 		if err != nil {
 			log.Fatal(fmt.Errorf("error generating key: %w", err))
@@ -102,5 +102,8 @@ func GetSecretFromSecretText(secretFilePath string) []byte {
 	if err != nil {
 		log.Fatal(fmt.Errorf("error reading from secret file: %w", err))
 	}
+	if len(secret) != keyLength {
+		log.Fatal(fmt.Errorf("error reading from secret file: expected %d bytes, got %d", keyLength, len(secret)))
+	}
 	return secret
 }