diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index 505a83f54f..f11b522558 100644
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -838,15 +838,19 @@ static int decrypt_partition(
 
         r = crypt_init(&cd, m->node);
         if (r < 0)
-                return r;
+                return log_debug_errno(r, "Failed to initialize dm-crypt: %m");
 
         r = crypt_load(cd, CRYPT_LUKS1, NULL);
-        if (r < 0)
+        if (r < 0) {
+                log_debug_errno(r, "Failed to load LUKS metadata: %m");
                 goto fail;
+        }
 
         r = crypt_activate_by_passphrase(cd, name, CRYPT_ANY_SLOT, passphrase, strlen(passphrase),
                                          ((flags & DISSECT_IMAGE_READ_ONLY) ? CRYPT_ACTIVATE_READONLY : 0) |
                                          ((flags & DISSECT_IMAGE_DISCARD_ON_CRYPTO) ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0));
+        if (r < 0)
+                log_debug_errno(r, "Failed to activate LUKS device: %m");
         if (r == -EPERM) {
                 r = -EKEYREJECTED;
                 goto fail;
diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in
index 5e80054a57..9893ae2b36 100644
--- a/units/systemd-nspawn@.service.in
+++ b/units/systemd-nspawn@.service.in
@@ -23,18 +23,23 @@ Slice=machine.slice
 Delegate=yes
 TasksMax=16384
 
-## Enforce a strict device policy, similar to the one nspawn configures
-## when it allocates its own scope unit. Make sure to keep these
-## policies in sync if you change them!
+# Enforce a strict device policy, similar to the one nspawn configures when it
+# allocates its own scope unit. Make sure to keep these policies in sync if you
+# change them!
 DevicePolicy=closed
 DeviceAllow=/dev/net/tun rwm
 DeviceAllow=char-pts rw
 
-# nspawn itself needs access to /dev/loop-control and /dev/loop, to
-# implement the --image= option. Add these here, too.
+# nspawn itself needs access to /dev/loop-control and /dev/loop, to implement
+# the --image= option. Add these here, too.
 DeviceAllow=/dev/loop-control rw
 DeviceAllow=block-loop rw
 DeviceAllow=block-blkext rw
 
+# nspawn can set up LUKS encrypted loopback files, in which case it needs
+# access to /dev/mapper/control and the block devices /dev/mapper/*.
+DeviceAllow=/dev/mapper/control rw
+DeviceAllow=block-device-mapper rw
+
 [Install]
 WantedBy=machines.target