diff --git a/core/archipelago/src/credentials/operations.rs b/core/archipelago/src/credentials/operations.rs
index c2fb23db..82569ca0 100644
--- a/core/archipelago/src/credentials/operations.rs
+++ b/core/archipelago/src/credentials/operations.rs
@@ -129,9 +129,21 @@ pub fn is_revoked(vc: &VerifiableCredential) -> bool {
 mod tests {
     use super::*;
 
+    /// Create a tempdir with a dummy `identity/node_key` so that the
+    /// credential store's encrypt/decrypt path can derive a key.
+    /// Returns the tempdir guard (drop it to clean up).
+    fn test_dir_with_node_key() -> tempfile::TempDir {
+        let dir = tempfile::tempdir().unwrap();
+        let identity_dir = dir.path().join("identity");
+        std::fs::create_dir_all(&identity_dir).unwrap();
+        // 32 bytes of deterministic test material; never a real key.
+        std::fs::write(identity_dir.join("node_key"), [0xAB; 32]).unwrap();
+        dir
+    }
+
     #[tokio::test]
     async fn test_issue_credential_w3c_format() {
-        let dir = tempfile::tempdir().unwrap();
+        let dir = test_dir_with_node_key();
         let vc = issue_credential(
             dir.path(),
             "did:key:issuer",
@@ -163,7 +175,7 @@ mod tests {
 
     #[tokio::test]
     async fn test_issue_credential_serializes_as_jsonld() {
-        let dir = tempfile::tempdir().unwrap();
+        let dir = test_dir_with_node_key();
         let vc = issue_credential(
             dir.path(),
             "did:key:issuer",
@@ -185,7 +197,7 @@ mod tests {
 
     #[tokio::test]
     async fn test_save_and_load_roundtrip() {
-        let dir = tempfile::tempdir().unwrap();
+        let dir = test_dir_with_node_key();
         issue_credential(
             dir.path(),
             "did:key:a",
@@ -205,7 +217,7 @@ mod tests {
 
     #[tokio::test]
     async fn test_issue_credential_sign_fn_failure_propagates() {
-        let dir = tempfile::tempdir().unwrap();
+        let dir = test_dir_with_node_key();
         let result = issue_credential(
             dir.path(),
             "did:key:issuer",
@@ -257,7 +269,7 @@ mod tests {
 
     #[tokio::test]
     async fn test_revoke_credential() {
-        let dir = tempfile::tempdir().unwrap();
+        let dir = test_dir_with_node_key();
         let vc = issue_credential(
             dir.path(),
             "did:key:issuer",
@@ -288,7 +300,7 @@ mod tests {
 
     #[tokio::test]
     async fn test_revoke_nonexistent_credential_fails() {
-        let dir = tempfile::tempdir().unwrap();
+        let dir = test_dir_with_node_key();
         let result = revoke_credential(dir.path(), "urn:uuid:does-not-exist").await;
         assert!(result.is_err());
         assert!(result
@@ -299,7 +311,7 @@ mod tests {
 
     #[tokio::test]
     async fn test_list_credentials_no_filter() {
-        let dir = tempfile::tempdir().unwrap();
+        let dir = test_dir_with_node_key();
         issue_credential(
             dir.path(),
             "did:key:a",
@@ -329,7 +341,7 @@ mod tests {
 
     #[tokio::test]
     async fn test_list_credentials_filter_by_did() {
-        let dir = tempfile::tempdir().unwrap();
+        let dir = test_dir_with_node_key();
         issue_credential(
             dir.path(),
             "did:key:alice",