diff --git a/.junie/memory/language.json b/.junie/memory/language.json
index b450953..872be24 100644
--- a/.junie/memory/language.json
+++ b/.junie/memory/language.json
@@ -1 +1 @@
-[{"lang":"en","usageCount":4}]
\ No newline at end of file
+[{"lang":"en","usageCount":5}]
\ No newline at end of file
diff --git a/cmd/metacrypt/unseal.go b/cmd/metacrypt/unseal.go
index d91ff1c..f115e23 100644
--- a/cmd/metacrypt/unseal.go
+++ b/cmd/metacrypt/unseal.go
@@ -11,9 +11,9 @@ import (
 	"os"
 
 	"github.com/spf13/cobra"
+	"golang.org/x/term"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
-	"golang.org/x/term"
 
 	metacryptv1 "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v1"
 )
@@ -44,7 +44,7 @@ func runUnseal(cmd *cobra.Command, args []string) error {
 	}
 
 	fmt.Print("Unseal password: ")
-	passwordBytes, err := term.ReadPassword(int(os.Stdin.Fd()))
+	passwordBytes, err := term.ReadPassword(int(os.Stdin.Fd())) //nolint:gosec
 	fmt.Println()
 	if err != nil {
 		return fmt.Errorf("read password: %w", err)
@@ -59,7 +59,7 @@ func runUnseal(cmd *cobra.Command, args []string) error {
 func buildTLSConfig(caCertPath string) (*tls.Config, error) {
 	tlsCfg := &tls.Config{MinVersion: tls.VersionTLS12}
 	if caCertPath != "" {
-		pem, err := os.ReadFile(caCertPath)
+		pem, err := os.ReadFile(caCertPath) //nolint:gosec
 		if err != nil {
 			return nil, fmt.Errorf("read CA cert: %w", err)
 		}
diff --git a/internal/server/grpc.go b/internal/server/grpc.go
index 27ebcfd..abf7999 100644
--- a/internal/server/grpc.go
+++ b/internal/server/grpc.go
@@ -3,6 +3,7 @@ package server
 import (
 	"context"
 	"crypto/tls"
+	"errors"
 	"fmt"
 	"net"
 
@@ -33,7 +34,7 @@ func (g *systemServiceServer) Init(ctx context.Context, req *metacryptv1.InitReq
 		Threads: g.s.cfg.Seal.Argon2Threads,
 	}
 	if err := g.s.seal.Initialize(ctx, []byte(req.Password), params); err != nil {
-		if err == seal.ErrAlreadyInitialized {
+		if errors.Is(err, seal.ErrAlreadyInitialized) {
 			return nil, grpcstatus.Error(codes.AlreadyExists, "already initialized")
 		}
 		g.s.logger.Error("grpc init failed", "error", err)
@@ -44,14 +45,14 @@ func (g *systemServiceServer) Init(ctx context.Context, req *metacryptv1.InitReq
 
 func (g *systemServiceServer) Unseal(ctx context.Context, req *metacryptv1.UnsealRequest) (*metacryptv1.UnsealResponse, error) {
 	if err := g.s.seal.Unseal([]byte(req.Password)); err != nil {
-		switch err {
-		case seal.ErrNotInitialized:
+		switch {
+		case errors.Is(err, seal.ErrNotInitialized):
 			return nil, grpcstatus.Error(codes.FailedPrecondition, "not initialized")
-		case seal.ErrInvalidPassword:
+		case errors.Is(err, seal.ErrInvalidPassword):
 			return nil, grpcstatus.Error(codes.Unauthenticated, "invalid password")
-		case seal.ErrRateLimited:
+		case errors.Is(err, seal.ErrRateLimited):
 			return nil, grpcstatus.Error(codes.ResourceExhausted, "too many attempts, try again later")
-		case seal.ErrNotSealed:
+		case errors.Is(err, seal.ErrNotSealed):
 			return nil, grpcstatus.Error(codes.AlreadyExists, "already unsealed")
 		default:
 			g.s.logger.Error("grpc unseal failed", "error", err)