diff --git a/age/src/cli_common.rs b/age/src/cli_common.rs
index 57236131..0affba84 100644
--- a/age/src/cli_common.rs
+++ b/age/src/cli_common.rs
@@ -98,17 +98,15 @@ pub fn read_identities(
         #[cfg(feature = "armor")]
         // Try parsing as an encrypted age identity.
         if let Ok(identity) = crate::encrypted::Identity::from_buffer(
-            ArmoredReader::new(BufReader::new(File::open(&filename)?)),
+            ArmoredReader::new(File::open(&filename)?),
             Some(filename.clone()),
             UiCallbacks,
             max_work_factor,
         ) {
-            if let Some(identity) = identity {
-                identities.push(Box::new(identity));
-                continue;
-            } else {
-                return Err(ReadError::IdentityEncryptedWithoutPassphrase(filename));
-            }
+            identities.push(Box::new(
+                identity.ok_or(ReadError::IdentityEncryptedWithoutPassphrase(filename))?,
+            ));
+            continue;
         }
 
         // Try parsing as a single multi-line SSH identity.
diff --git a/age/src/encrypted.rs b/age/src/encrypted.rs
index f8838d95..ec405b00 100644
--- a/age/src/encrypted.rs
+++ b/age/src/encrypted.rs
@@ -206,7 +206,6 @@ impl<R: io::Read, C: Callbacks> crate::Identity for Identity<R, C> {
 
 #[cfg(test)]
 mod tests {
-    use std::io::BufReader;
     use std::sync::{Arc, Mutex};
 
     use age_core::secrecy::{ExposeSecret, SecretString};
@@ -272,7 +271,7 @@ fOrxrKTj7xCdNS3+OrCdnBC8Z9cKDxjCGWW3fkjLsYha0Jo=
 
         // Unwrapping with the wrong passphrase fails.
         {
-            let buf = ArmoredReader::new(BufReader::new(TEST_ENCRYPTED_IDENTITY.as_bytes()));
+            let buf = ArmoredReader::new(TEST_ENCRYPTED_IDENTITY.as_bytes());
             let identity =
                 Identity::from_buffer(buf, None, MockCallbacks::new("wrong passphrase"), None)
                     .unwrap()
@@ -285,7 +284,7 @@ fOrxrKTj7xCdNS3+OrCdnBC8Z9cKDxjCGWW3fkjLsYha0Jo=
             }
         }
 
-        let buf = ArmoredReader::new(BufReader::new(TEST_ENCRYPTED_IDENTITY.as_bytes()));
+        let buf = ArmoredReader::new(TEST_ENCRYPTED_IDENTITY.as_bytes());
         let identity = Identity::from_buffer(
             buf,
             None,
diff --git a/rage/src/bin/rage/main.rs b/rage/src/bin/rage/main.rs
index fecf4d76..e510b31b 100644
--- a/rage/src/bin/rage/main.rs
+++ b/rage/src/bin/rage/main.rs
@@ -39,6 +39,11 @@ macro_rules! warning {
     }};
 }
 
+/// Handles error mapping for the given SSH recipient parser.
+///
+/// Returns `Ok(None)` if the parser finds a parseable value that should be ignored. This
+/// case is for handling SSH recipient types that may occur in files we want to be able to
+/// parse, but that we do not directly support.
 #[cfg(feature = "ssh")]
 fn parse_ssh_recipient<F, G>(
     parser: F,
@@ -152,19 +157,16 @@ fn read_recipients(
     for filename in identity_strings {
         // Try parsing as an encrypted age identity.
         if let Ok(identity) = age::encrypted::Identity::from_buffer(
-            ArmoredReader::new(BufReader::new(File::open(&filename)?)),
+            ArmoredReader::new(File::open(&filename)?),
             Some(filename.clone()),
             UiCallbacks,
             max_work_factor,
         ) {
-            if let Some(identity) = identity {
-                recipients.extend(identity.recipients()?);
-                continue;
-            } else {
-                return Err(error::EncryptError::IdentityEncryptedWithoutPassphrase(
-                    filename,
-                ));
-            }
+            let identity = identity.ok_or(
+                error::EncryptError::IdentityEncryptedWithoutPassphrase(filename),
+            )?;
+            recipients.extend(identity.recipients()?);
+            continue;
         }
 
         // Try parsing as a single multi-line SSH identity.
@@ -177,14 +179,14 @@ fn read_recipients(
                 return Err(error::EncryptError::UnsupportedKey(filename, k))
             }
             Ok(identity) => {
-                if let Some(recipient) = parse_ssh_recipient(
+                let recipient = parse_ssh_recipient(
                     || age::ssh::Recipient::try_from(identity),
                     || Err(error::EncryptError::InvalidRecipient(filename.clone())),
                     &filename,
-                )? {
-                    recipients.push(recipient);
-                    continue;
-                }
+                )?
+                .expect("unsupported identities were already handled");
+                recipients.push(recipient);
+                continue;
             }
             Err(_) => (),
         }
diff --git a/rage/tests/cmd/rage/decrypt-missing-identities-file.toml b/rage/tests/cmd/rage/decrypt-missing-identities-file.toml
new file mode 100644
index 00000000..69bee689
--- /dev/null
+++ b/rage/tests/cmd/rage/decrypt-missing-identities-file.toml
@@ -0,0 +1,11 @@
+bin.name = "rage"
+args = "--decrypt -i key.txt"
+status = "failed"
+stdin = ""
+stdout = ""
+stderr = """
+Error: failed to fill whole buffer
+
+[ Did rage not do what you expected? Could an error be more useful? ]
+[ Tell us: https://str4d.xyz/rage/report                            ]
+"""