diff --git a/.github/workflows/jobs.yaml b/.github/workflows/jobs.yaml
index 33eadc9fa..cbe0358da 100644
--- a/.github/workflows/jobs.yaml
+++ b/.github/workflows/jobs.yaml
@@ -1539,7 +1539,7 @@ jobs:
           go tool cover -func=all.out | grep total > tmp2
           result=`cat tmp2 | awk 'END {print $3}'`
           result=${result%\%}
-          threshold=67.7
+          threshold=68.5
           echo "Result:"
           echo "$result%"
           if (( $(echo "$result >= $threshold" |bc -l) )); then
diff --git a/operatorapi/tenants_2_test.go b/operatorapi/tenants_2_test.go
index 8dc84f068..cc2274875 100644
--- a/operatorapi/tenants_2_test.go
+++ b/operatorapi/tenants_2_test.go
@@ -666,15 +666,8 @@ func (suite *TenantTestSuite) TestUpdateTenantSecurityWithoutError() {
 	opClientTenantUpdateMock = func(ctx context.Context, tenant *miniov2.Tenant, opts metav1.UpdateOptions) (*miniov2.Tenant, error) {
 		return &miniov2.Tenant{}, nil
 	}
-	runAsUser := "1000"
-	runAsGroup := "1000"
-	fsGroup := "1000"
 	params, _ := suite.initUpdateTenantSecurityRequest()
-	params.Body.SecurityContext = &models.SecurityContext{
-		RunAsUser:  &runAsUser,
-		RunAsGroup: &runAsGroup,
-		FsGroup:    fsGroup,
-	}
+	params.Body.SecurityContext = suite.createMockModelsSecurityContext()
 	err := updateTenantSecurity(ctx, suite.opClient, suite.k8sclient, "mock-namespace", params)
 	suite.assert.Nil(err)
 }
@@ -1211,9 +1204,6 @@ func (suite *TenantTestSuite) TestSetTenantMonitoringWithTenantUpdateError() {
 	opClientTenantUpdateMock = func(ctx context.Context, tenant *miniov2.Tenant, opts metav1.UpdateOptions) (*miniov2.Tenant, error) {
 		return nil, errors.New("mock-tenant-update-error")
 	}
-	runAsUser := "1000"
-	runAsGroup := "1000"
-	fsGroup := "1000"
 	params, _ := suite.initSetTenantMonitoringRequest()
 	params.Data = &models.TenantMonitoringInfo{
 		Labels: []*models.Label{{
@@ -1231,11 +1221,7 @@ func (suite *TenantTestSuite) TestSetTenantMonitoringWithTenantUpdateError() {
 		MonitoringCPURequest: "1",
 		MonitoringMemRequest: "1Gi",
 		DiskCapacityGB:       "1Gi",
-		SecurityContext: &models.SecurityContext{
-			RunAsUser:  &runAsUser,
-			RunAsGroup: &runAsGroup,
-			FsGroup:    fsGroup,
-		},
+		SecurityContext:      suite.createMockModelsSecurityContext(),
 	}
 	tenant := &miniov2.Tenant{
 		Spec: miniov2.TenantSpec{
@@ -1251,16 +1237,9 @@ func (suite *TenantTestSuite) TestSetTenantMonitoringWithoutError() {
 	opClientTenantUpdateMock = func(ctx context.Context, tenant *miniov2.Tenant, opts metav1.UpdateOptions) (*miniov2.Tenant, error) {
 		return nil, nil
 	}
-	runAsUser := "1000"
-	runAsGroup := "1000"
-	fsGroup := "1000"
 	params, _ := suite.initSetTenantMonitoringRequest()
 	params.Data = &models.TenantMonitoringInfo{
-		SecurityContext: &models.SecurityContext{
-			RunAsUser:  &runAsUser,
-			RunAsGroup: &runAsGroup,
-			FsGroup:    fsGroup,
-		},
+		SecurityContext: suite.createMockModelsSecurityContext(),
 	}
 	tenant := &miniov2.Tenant{
 		Spec: miniov2.TenantSpec{
@@ -1519,6 +1498,177 @@ func (suite *TenantTestSuite) TestTenantUpdateEncryptionHandlerWithError() {
 	suite.assert.True(ok)
 }
 
+func (suite *TenantTestSuite) TestTenantUpdateEncryptionWithExternalCertError() {
+	params, _ := suite.initTenantUpdateEncryptionRequest()
+	params.Body = &models.EncryptionConfiguration{
+		ServerTLS: &models.KeyPairConfiguration{},
+	}
+	opClientTenantGetMock = func(ctx context.Context, namespace string, tenantName string, options metav1.GetOptions) (*miniov2.Tenant, error) {
+		return &miniov2.Tenant{
+			Spec: miniov2.TenantSpec{
+				KES: &miniov2.KESConfig{
+					ExternalCertSecret: &miniov2.LocalCertificateReference{
+						Name: "mock-crt",
+					},
+				},
+			},
+		}, nil
+	}
+	err := tenantUpdateEncryption(context.Background(), suite.opClient, suite.k8sclient, params.Namespace, params)
+	suite.assert.NotNil(err)
+}
+
+func (suite *TenantTestSuite) TestTenantUpdateEncryptionWithExternalClientCertError() {
+	params, _ := suite.initTenantUpdateEncryptionRequest()
+	params.Body = &models.EncryptionConfiguration{
+		MinioMtls: &models.KeyPairConfiguration{},
+	}
+	opClientTenantGetMock = func(ctx context.Context, namespace string, tenantName string, options metav1.GetOptions) (*miniov2.Tenant, error) {
+		return &miniov2.Tenant{
+			Spec: miniov2.TenantSpec{
+				ExternalClientCertSecret: &miniov2.LocalCertificateReference{
+					Name: "mock-crt",
+				},
+			},
+		}, nil
+	}
+	err := tenantUpdateEncryption(context.Background(), suite.opClient, suite.k8sclient, params.Namespace, params)
+	suite.assert.NotNil(err)
+}
+
+func (suite *TenantTestSuite) TestTenantUpdateEncryptionAWSWithoutError() {
+	params, _ := suite.initTenantUpdateEncryptionRequest()
+	endpoint := "mock-endpoint"
+	region := "mock-region"
+	ak := "mock-accesskey"
+	sk := "mock-secretkey"
+	params.Body = &models.EncryptionConfiguration{
+		Replicas:           "1",
+		SecurityContext:    suite.createMockModelsSecurityContext(),
+		SecretsToBeDeleted: []string{"mock-crt"},
+		Aws: &models.AwsConfiguration{
+			Secretsmanager: &models.AwsConfigurationSecretsmanager{
+				Endpoint: &endpoint,
+				Region:   &region,
+				Kmskey:   "mock-kmskey",
+				Credentials: &models.AwsConfigurationSecretsmanagerCredentials{
+					Accesskey: &ak,
+					Secretkey: &sk,
+				},
+			},
+		},
+	}
+	k8sClientCreateSecretMock = func(ctx context.Context, namespace string, secret *v1.Secret, opts metav1.CreateOptions) (*v1.Secret, error) {
+		return nil, nil
+	}
+	opClientTenantGetMock = func(ctx context.Context, namespace string, tenantName string, options metav1.GetOptions) (*miniov2.Tenant, error) {
+		return &miniov2.Tenant{
+			Spec: miniov2.TenantSpec{
+				ExternalClientCertSecret: &miniov2.LocalCertificateReference{
+					Name: "mock-crt",
+				},
+				KES: &miniov2.KESConfig{
+					ExternalCertSecret: &miniov2.LocalCertificateReference{
+						Name: "mock-crt",
+					},
+				},
+			},
+		}, nil
+	}
+	opClientTenantUpdateMock = func(ctx context.Context, tenant *miniov2.Tenant, opts metav1.UpdateOptions) (*miniov2.Tenant, error) {
+		return nil, nil
+	}
+	err := tenantUpdateEncryption(context.Background(), suite.opClient, suite.k8sclient, params.Namespace, params)
+	suite.assert.Nil(err)
+}
+
+func (suite *TenantTestSuite) TestTenantUpdateEncryptionGemaltoWithoutError() {
+	params, _ := suite.initTenantUpdateEncryptionRequest()
+	endpoint := "mock-endpoint"
+	token := "mock-token"
+	domain := "mock-domain"
+	params.Body = &models.EncryptionConfiguration{
+		Replicas:        "1",
+		SecurityContext: suite.createMockModelsSecurityContext(),
+		Gemalto: &models.GemaltoConfiguration{
+			Keysecure: &models.GemaltoConfigurationKeysecure{
+				Endpoint: &endpoint,
+				Credentials: &models.GemaltoConfigurationKeysecureCredentials{
+					Token:  &token,
+					Domain: &domain,
+				},
+			},
+		},
+		KmsMtls: &models.EncryptionConfigurationAO1KmsMtls{
+			Ca: "bW9jaw==",
+		},
+	}
+	suite.prepareEncryptionUpdateMocksNoError()
+	err := tenantUpdateEncryption(context.Background(), suite.opClient, suite.k8sclient, params.Namespace, params)
+	suite.assert.Nil(err)
+}
+
+func (suite *TenantTestSuite) TestTenantUpdateEncryptionGCPWithoutError() {
+	params, _ := suite.initTenantUpdateEncryptionRequest()
+	project := "mock-project"
+	params.Body = &models.EncryptionConfiguration{
+		Replicas:        "1",
+		SecurityContext: suite.createMockModelsSecurityContext(),
+		Gcp: &models.GcpConfiguration{
+			Secretmanager: &models.GcpConfigurationSecretmanager{
+				ProjectID: &project,
+				Endpoint:  "mock-endpoint",
+				Credentials: &models.GcpConfigurationSecretmanagerCredentials{
+					ClientEmail:  "mock",
+					ClientID:     "mock",
+					PrivateKey:   "mock",
+					PrivateKeyID: "mock",
+				},
+			},
+		},
+	}
+	suite.prepareEncryptionUpdateMocksNoError()
+	err := tenantUpdateEncryption(context.Background(), suite.opClient, suite.k8sclient, params.Namespace, params)
+	suite.assert.Nil(err)
+}
+
+func (suite *TenantTestSuite) TestTenantUpdateEncryptionAzureWithoutError() {
+	params, _ := suite.initTenantUpdateEncryptionRequest()
+	endpoint := "mock-endpoint"
+	tenant := "mock-tenant"
+	clientID := "mock-client-id"
+	clientSecret := "mock-client-secret"
+	params.Body = &models.EncryptionConfiguration{
+		Replicas:        "1",
+		SecurityContext: suite.createMockModelsSecurityContext(),
+		Azure: &models.AzureConfiguration{
+			Keyvault: &models.AzureConfigurationKeyvault{
+				Endpoint: &endpoint,
+				Credentials: &models.AzureConfigurationKeyvaultCredentials{
+					TenantID:     &tenant,
+					ClientID:     &clientID,
+					ClientSecret: &clientSecret,
+				},
+			},
+		},
+	}
+	suite.prepareEncryptionUpdateMocksNoError()
+	err := tenantUpdateEncryption(context.Background(), suite.opClient, suite.k8sclient, params.Namespace, params)
+	suite.assert.Nil(err)
+}
+
+func (suite *TenantTestSuite) prepareEncryptionUpdateMocksNoError() {
+	k8sClientCreateSecretMock = func(ctx context.Context, namespace string, secret *v1.Secret, opts metav1.CreateOptions) (*v1.Secret, error) {
+		return nil, nil
+	}
+	opClientTenantGetMock = func(ctx context.Context, namespace string, tenantName string, options metav1.GetOptions) (*miniov2.Tenant, error) {
+		return &miniov2.Tenant{Spec: miniov2.TenantSpec{}}, nil
+	}
+	opClientTenantUpdateMock = func(ctx context.Context, tenant *miniov2.Tenant, opts metav1.UpdateOptions) (*miniov2.Tenant, error) {
+		return nil, nil
+	}
+}
+
 func (suite *TenantTestSuite) initTenantUpdateEncryptionRequest() (params operator_api.TenantUpdateEncryptionParams, api operations.OperatorAPI) {
 	registerTenantHandlers(&api)
 	params.HTTPRequest = &http.Request{}
@@ -1626,3 +1776,14 @@ func (suite *TenantTestSuite) initUpdateTenantDomainsRequest() (params operator_
 func TestTenant(t *testing.T) {
 	suite.Run(t, new(TenantTestSuite))
 }
+
+func (suite *TenantTestSuite) createMockModelsSecurityContext() *models.SecurityContext {
+	runAsUser := "1000"
+	runAsGroup := "1000"
+	fsGroup := "1000"
+	return &models.SecurityContext{
+		RunAsUser:  &runAsUser,
+		RunAsGroup: &runAsGroup,
+		FsGroup:    fsGroup,
+	}
+}
diff --git a/operatorapi/tenants_helper.go b/operatorapi/tenants_helper.go
index f2e60c148..0eb157025 100644
--- a/operatorapi/tenants_helper.go
+++ b/operatorapi/tenants_helper.go
@@ -236,10 +236,7 @@ func tenantUpdateEncryption(ctx context.Context, operatorClient OperatorClientI,
 		return err
 	}
 	_, err = operatorClient.TenantUpdate(ctx, tenant, metav1.UpdateOptions{})
-	if err != nil {
-		return err
-	}
-	return nil
+	return err
 }
 
 // getTenantDeleteEncryptionResponse is a wrapper for tenantDeleteEncryption
@@ -898,10 +895,7 @@ func createOrReplaceKesConfigurationSecrets(ctx context.Context, clientSet K8sCl
 		},
 	}
 	_, err = clientSet.createSecret(ctx, ns, &kesConfigurationSecret, metav1.CreateOptions{})
-	if err != nil {
-		return nil, nil, err
-	}
 	return &corev1.LocalObjectReference{
 		Name: kesConfigurationSecretName,
-	}, clientCertSecretReference, nil
+	}, clientCertSecretReference, err
 }