diff --git a/endpoint/crypto_test.go b/endpoint/crypto_test.go
index 880afcce3..002e2579e 100644
--- a/endpoint/crypto_test.go
+++ b/endpoint/crypto_test.go
@@ -17,8 +17,12 @@ limitations under the License.
 package endpoint
 
 import (
+	"encoding/base64"
+	"io"
 	"testing"
 
+	"crypto/rand"
+
 	"github.com/stretchr/testify/require"
 )
 
@@ -56,3 +60,33 @@ func TestEncrypt(t *testing.T) {
 		t.Error("Decryption of text didn't result in expected plaintext result.")
 	}
 }
+
+func TestGenerateNonceSuccess(t *testing.T) {
+	nonce, err := GenerateNonce()
+	require.NoError(t, err)
+	require.NotEmpty(t, nonce)
+
+	// Test nonce length
+	decodedNonce, err := base64.StdEncoding.DecodeString(string(nonce))
+	require.NoError(t, err)
+	require.Equal(t, standardGcmNonceSize, len(decodedNonce))
+}
+
+func TestGenerateNonceError(t *testing.T) {
+	// Save the original rand.Reader
+	originalRandReader := rand.Reader
+	defer func() { rand.Reader = originalRandReader }()
+
+	// Replace rand.Reader with a faulty reader
+	rand.Reader = &faultyReader{}
+
+	nonce, err := GenerateNonce()
+	require.Error(t, err)
+	require.Nil(t, nonce)
+}
+
+type faultyReader struct{}
+
+func (f *faultyReader) Read(p []byte) (n int, err error) {
+	return 0, io.ErrUnexpectedEOF
+}