diff --git a/lib/config/decrypt.ts b/lib/config/decrypt.ts
index 63622820d1be107324594865dd540abc3147a273..c58f1b18ebe1227410e346c712ef370b31dac3cd 100644
--- a/lib/config/decrypt.ts
+++ b/lib/config/decrypt.ts
@@ -122,6 +122,7 @@ function validateDecryptedValue(
 export async function decryptConfig(
   config: RenovateConfig,
   repository: string,
+  existingPath = '$',
 ): Promise<RenovateConfig> {
   logger.trace({ config }, 'decryptConfig()');
   const decryptedConfig = { ...config };
@@ -129,7 +130,8 @@ export async function decryptConfig(
   const privateKeyOld = GlobalConfig.get('privateKeyOld');
   for (const [key, val] of Object.entries(config)) {
     if (key === 'encrypted' && is.object(val)) {
-      logger.debug({ config: val }, 'Found encrypted config');
+      const path = `${existingPath}.${key}`;
+      logger.debug({ config: val }, `Found encrypted config in ${path}`);
 
       const encryptedWarning = GlobalConfig.get('encryptedWarning');
       if (is.string(encryptedWarning)) {
@@ -138,7 +140,7 @@ export async function decryptConfig(
 
       if (privateKey) {
         for (const [eKey, eVal] of Object.entries(val)) {
-          logger.debug('Trying to decrypt ' + eKey);
+          logger.debug(`Trying to decrypt ${eKey} in ${path}`);
           let decryptedStr = await tryDecrypt(
             privateKey,
             eVal,
@@ -159,7 +161,7 @@ export async function decryptConfig(
             error.validationError = `Failed to decrypt field ${eKey}. Please re-encrypt and try again.`;
             throw error;
           }
-          logger.debug(`Decrypted ${eKey}`);
+          logger.debug(`Decrypted ${eKey} in ${path}`);
           if (eKey === 'npmToken') {
             const token = decryptedStr.replace(regEx(/\n$/), '');
             decryptedConfig[eKey] = token;
@@ -189,19 +191,22 @@ Refer to migration documents here: https://docs.renovatebot.com/mend-hosted/migr
       delete decryptedConfig.encrypted;
     } else if (is.array(val)) {
       decryptedConfig[key] = [];
-      for (const item of val) {
+      for (const [index, item] of val.entries()) {
         if (is.object(item) && !is.array(item)) {
+          const path = `${existingPath}.${key}[${index}]`;
           (decryptedConfig[key] as RenovateConfig[]).push(
-            await decryptConfig(item as RenovateConfig, repository),
+            await decryptConfig(item as RenovateConfig, repository, path),
           );
         } else {
           (decryptedConfig[key] as unknown[]).push(item);
         }
       }
     } else if (is.object(val) && key !== 'content') {
+      const path = `${existingPath}.${key}`;
       decryptedConfig[key] = await decryptConfig(
         val as RenovateConfig,
         repository,
+        path,
       );
     }
   }