diff --git a/server/filestore.go b/server/filestore.go
index c50c2bfb..aa85991c 100644
--- a/server/filestore.go
+++ b/server/filestore.go
@@ -394,13 +394,19 @@ func (fs *fileStore) genEncryptionKeys(context string) (aek cipher.AEAD, bek *ch
 		return nil, nil, nil, nil, errNoEncryption
 	}
 	// Generate key encryption key.
-	kek, err := chacha20poly1305.NewX(fs.prf([]byte(context)))
+	rb, err := fs.prf([]byte(context))
+	if err != nil {
+		return nil, nil, nil, nil, err
+	}
+	kek, err := chacha20poly1305.NewX(rb)
 	if err != nil {
 		return nil, nil, nil, nil, err
 	}
 	// Generate random asset encryption key seed.
 	seed = make([]byte, 32)
-	rand.Read(seed)
+	if n, err := rand.Read(seed); err != nil || n != 32 {
+		return nil, nil, nil, nil, err
+	}
 	aek, err = chacha20poly1305.NewX(seed)
 	if err != nil {
 		return nil, nil, nil, nil, err
@@ -499,7 +505,11 @@ func (fs *fileStore) recoverMsgBlock(fi os.FileInfo, index uint64) (*msgBlock, e
 				return nil, errBadKeySize
 			}
 			// Recover key encryption key.
-			kek, err := chacha20poly1305.NewX(fs.prf([]byte(fmt.Sprintf("%s:%d", fs.cfg.Name, mb.index))))
+			rb, err := fs.prf([]byte(fmt.Sprintf("%s:%d", fs.cfg.Name, mb.index)))
+			if err != nil {
+				return nil, err
+			}
+			kek, err := chacha20poly1305.NewX(rb)
 			if err != nil {
 				return nil, err
 			}
@@ -4470,7 +4480,11 @@ func (fs *fileStore) ConsumerStore(name string, cfg *ConsumerConfig) (ConsumerSt
 	if o.prf != nil {
 		if ekey, err := ioutil.ReadFile(path.Join(odir, JetStreamMetaFileKey)); err == nil {
 			// Recover key encryption key.
-			kek, err := chacha20poly1305.NewX(fs.prf([]byte(fs.cfg.Name + tsep + o.name)))
+			rb, err := fs.prf([]byte(fs.cfg.Name + tsep + o.name))
+			if err != nil {
+				return nil, err
+			}
+			kek, err := chacha20poly1305.NewX(rb)
 			if err != nil {
 				return nil, err
 			}
diff --git a/server/jetstream.go b/server/jetstream.go
index a06427d9..6e47fe6e 100644
--- a/server/jetstream.go
+++ b/server/jetstream.go
@@ -183,17 +183,21 @@ func (s *Server) EnableJetStream(config *JetStreamConfig) error {
 }
 
 // Function signature to generate a key encryption key.
-type keyGen func(context []byte) []byte
+type keyGen func(context []byte) ([]byte, error)
 
 // Return a key generation function or nil if encryption not enabled.
 // keyGen defined in filestore.go - keyGen func(iv, context []byte) []byte
 func (s *Server) jsKeyGen(info string) keyGen {
 	if ek := s.getOpts().JetStreamKey; ek != _EMPTY_ {
-		return func(context []byte) []byte {
+		return func(context []byte) ([]byte, error) {
 			h := hmac.New(sha256.New, []byte(ek))
-			h.Write([]byte(info))
-			h.Write(context)
-			return h.Sum(nil)
+			if _, err := h.Write([]byte(info)); err != nil {
+				return nil, err
+			}
+			if _, err := h.Write(context); err != nil {
+				return nil, err
+			}
+			return h.Sum(nil), nil
 		}
 	}
 	return nil
@@ -208,7 +212,11 @@ func (s *Server) decryptMeta(ekey, buf []byte, acc, context string) ([]byte, err
 	if prf == nil {
 		return nil, errNoEncryption
 	}
-	kek, err := chacha20poly1305.NewX(prf([]byte(context)))
+	rb, err := prf([]byte(context))
+	if err != nil {
+		return nil, err
+	}
+	kek, err := chacha20poly1305.NewX(rb)
 	if err != nil {
 		return nil, err
 	}