diff --git a/Podfile b/Podfile
index 228be5bb6..d969776a1 100644
--- a/Podfile
+++ b/Podfile
@@ -5,7 +5,7 @@ use_frameworks!
 
 def shared_pods
   # OWS Pods
-  pod 'SignalCoreKit', git: 'https://github.com/signalapp/SignalCoreKit.git', testspecs: ["Tests"]
+  pod 'SignalCoreKit', git: 'git@github.com:signalapp/SignalCoreKit-Private.git', branch: 'mkirk/wrap-exceptions', testspecs: ["Tests"]
   # pod 'SignalCoreKit', path: '../SignalCoreKit', testspecs: ["Tests"]
   # pod 'SQLCipher', path: '../sqlcipher2'
   pod 'SQLCipher', :git => 'https://github.com/sqlcipher/sqlcipher.git', :commit => 'd5c2bec'
@@ -19,7 +19,7 @@ def shared_pods
   pod 'Curve25519Kit', git: 'https://github.com/signalapp/Curve25519Kit', testspecs: ["Tests"]
   # pod 'Curve25519Kit', path: '../Curve25519Kit', testspecs: ["Tests"]
   # TODO: Use public repo.
-  pod 'SignalMetadataKit', git: 'https://github.com/signalapp/SignalMetadataKit', testspecs: ["Tests"]
+  pod 'SignalMetadataKit', git: 'git@github.com:signalapp/SignalMetadataKit', branch: 'mkirk/wrap-exceptions', testspecs: ["Tests"]
   # pod 'SignalMetadataKit', path: '../SignalMetadataKit', testspecs: ["Tests"]
   pod 'SignalServiceKit', path: '.', testspecs: ["Tests"]
   pod 'GRKOpenSSLFramework', git: 'https://github.com/signalapp/GRKOpenSSLFramework'
diff --git a/Podfile.lock b/Podfile.lock
index f9479ae58..b74e75f15 100644
--- a/Podfile.lock
+++ b/Podfile.lock
@@ -192,10 +192,10 @@ DEPENDENCIES:
   - Mantle
   - PureLayout
   - Reachability
-  - SignalCoreKit (from `https://github.com/signalapp/SignalCoreKit.git`)
-  - SignalCoreKit/Tests (from `https://github.com/signalapp/SignalCoreKit.git`)
-  - SignalMetadataKit (from `https://github.com/signalapp/SignalMetadataKit`)
-  - SignalMetadataKit/Tests (from `https://github.com/signalapp/SignalMetadataKit`)
+  - "SignalCoreKit (from `git@github.com:signalapp/SignalCoreKit-Private.git`, branch `mkirk/wrap-exceptions`)"
+  - "SignalCoreKit/Tests (from `git@github.com:signalapp/SignalCoreKit-Private.git`, branch `mkirk/wrap-exceptions`)"
+  - "SignalMetadataKit (from `git@github.com:signalapp/SignalMetadataKit`, branch `mkirk/wrap-exceptions`)"
+  - "SignalMetadataKit/Tests (from `git@github.com:signalapp/SignalMetadataKit`, branch `mkirk/wrap-exceptions`)"
   - SignalServiceKit (from `.`)
   - SignalServiceKit/Tests (from `.`)
   - SocketRocket (from `https://github.com/signalapp/SocketRocket.git`, branch `mkirk/handle-sec-err`)
@@ -229,9 +229,11 @@ EXTERNAL SOURCES:
   HKDFKit:
     :git: https://github.com/signalapp/HKDFKit.git
   SignalCoreKit:
-    :git: https://github.com/signalapp/SignalCoreKit.git
+    :branch: mkirk/wrap-exceptions
+    :git: "git@github.com:signalapp/SignalCoreKit-Private.git"
   SignalMetadataKit:
-    :git: https://github.com/signalapp/SignalMetadataKit
+    :branch: mkirk/wrap-exceptions
+    :git: "git@github.com:signalapp/SignalMetadataKit"
   SignalServiceKit:
     :path: "."
   SocketRocket:
@@ -258,11 +260,11 @@ CHECKOUT OPTIONS:
     :commit: 8b8326cd50bc488663a3d3743f1a92b90f4d85b4
     :git: https://github.com/signalapp/HKDFKit.git
   SignalCoreKit:
-    :commit: ff0b95770520133b83a4bd7b26bc2c90b51abc4d
-    :git: https://github.com/signalapp/SignalCoreKit.git
+    :commit: df8d9528eb5e7e161ea04393a0d7972cd8539c14
+    :git: "git@github.com:signalapp/SignalCoreKit-Private.git"
   SignalMetadataKit:
-    :commit: 90f3dee7122ff13061770c496001135ba90b71e3
-    :git: https://github.com/signalapp/SignalMetadataKit
+    :commit: 07326a8ebb8e207bbe0e08fc6cd1d4979acc83d6
+    :git: "git@github.com:signalapp/SignalMetadataKit"
   SocketRocket:
     :commit: 9f9563a83cd8960503074aa8de72206f83fb7a69
     :git: https://github.com/signalapp/SocketRocket.git
@@ -296,6 +298,6 @@ SPEC CHECKSUMS:
   YapDatabase: b418a4baa6906e8028748938f9159807fd039af4
   YYImage: 1e1b62a9997399593e4b9c4ecfbbabbf1d3f3b54
 
-PODFILE CHECKSUM: 820287bc7925d7c20e02a02923976c60b1f5386b
+PODFILE CHECKSUM: 794d0aeb047ca81b7c697f99e43b6f80ea4ce585
 
 COCOAPODS: 1.5.3
diff --git a/Pods b/Pods
index 3b101143e..c4a845a4d 160000
--- a/Pods
+++ b/Pods
@@ -1 +1 @@
-Subproject commit 3b101143e57b34fbef613c365c9ee2e29bd25d16
+Subproject commit c4a845a4d93934555baf8335c65b2510a926322b
diff --git a/SignalServiceKit/src/Messages/OWSMessageDecrypter.m b/SignalServiceKit/src/Messages/OWSMessageDecrypter.m
index 7a956ceaa..972002d41 100644
--- a/SignalServiceKit/src/Messages/OWSMessageDecrypter.m
+++ b/SignalServiceKit/src/Messages/OWSMessageDecrypter.m
@@ -26,6 +26,7 @@
 #import <AxolotlKit/SessionCipher.h>
 #import <SignalCoreKit/NSData+OWS.h>
 #import <SignalCoreKit/Randomness.h>
+#import <SignalCoreKit/SCKExceptionWrapper.h>
 #import <SignalMetadataKit/SignalMetadataKit-Swift.h>
 #import <SignalServiceKit/SignalServiceKit-Swift.h>
 
@@ -378,7 +379,7 @@ NSError *EnsureDecryptError(NSError *_Nullable error, NSString *fallbackErrorDes
 
                 // plaintextData may be nil for some envelope types.
                 NSData *_Nullable plaintextData =
-                    [[cipher decrypt:cipherMessage protocolContext:transaction] removePadding];
+                    [[cipher try_decrypt:cipherMessage protocolContext:transaction] removePadding];
                 OWSMessageDecryptResult *result = [OWSMessageDecryptResult resultWithEnvelopeData:envelopeData
                                                                                     plaintextData:plaintextData
                                                                                            source:envelope.source
@@ -448,13 +449,15 @@ NSError *EnsureDecryptError(NSError *_Nullable error, NSString *fallbackErrorDes
             }
 
             SMKDecryptResult *_Nullable decryptResult =
-                [cipher decryptMessageWithCertificateValidator:certificateValidator
-                                                cipherTextData:encryptedData
-                                                     timestamp:serverTimestamp
-                                              localRecipientId:localRecipientId
-                                                 localDeviceId:localDeviceId
-                                               protocolContext:transaction
-                                                         error:&error];
+                [cipher trywrapped_decryptMessageWithCertificateValidator:certificateValidator
+                                                           cipherTextData:encryptedData
+                                                                timestamp:serverTimestamp
+                                                         localRecipientId:localRecipientId
+                                                            localDeviceId:localDeviceId
+                                                          protocolContext:transaction
+                                                                    error:&error];
+            SCKRaiseIfExceptionWrapperError(error);
+
             if (error || !decryptResult) {
                 if ([error.domain isEqualToString:@"SignalMetadataKit.SMKSecretSessionCipherError"]
                     && error.code == SMKSecretSessionCipherErrorSelfSentMessage) {
diff --git a/SignalServiceKit/src/Messages/OWSMessageSender.m b/SignalServiceKit/src/Messages/OWSMessageSender.m
index 9f8769425..ee3a9c929 100644
--- a/SignalServiceKit/src/Messages/OWSMessageSender.m
+++ b/SignalServiceKit/src/Messages/OWSMessageSender.m
@@ -50,6 +50,7 @@
 #import <PromiseKit/AnyPromise.h>
 #import <SignalCoreKit/NSData+OWS.h>
 #import <SignalCoreKit/NSDate+OWS.h>
+#import <SignalCoreKit/SCKExceptionWrapper.h>
 #import <SignalCoreKit/Threading.h>
 #import <SignalMetadataKit/SignalMetadataKit-Swift.h>
 #import <SignalServiceKit/SignalServiceKit-Swift.h>
@@ -1450,10 +1451,10 @@ NSString *const OWSMessageSenderRateLimitedException = @"RateLimitedException";
             [self.dbConnection
                 readWriteWithBlock:^(YapDatabaseReadWriteTransaction *transaction) {
                     @try {
-                        messageDict = [self encryptedMessageForMessageSend:messageSend
-                                                                  deviceId:deviceId
-                                                                 plainText:plainText
-                                                               transaction:transaction];
+                        messageDict = [self try_encryptedMessageForMessageSend:messageSend
+                                                                      deviceId:deviceId
+                                                                     plainText:plainText
+                                                                   transaction:transaction];
                     } @catch (NSException *exception) {
                         encryptionException = exception;
                     }
@@ -1612,10 +1613,10 @@ NSString *const OWSMessageSenderRateLimitedException = @"RateLimitedException";
 }
 
 // NOTE: This method uses exceptions for control flow.
-- (NSDictionary *)encryptedMessageForMessageSend:(OWSMessageSend *)messageSend
-                                        deviceId:(NSNumber *)deviceId
-                                       plainText:(NSData *)plainText
-                                     transaction:(YapDatabaseReadWriteTransaction *)transaction
+- (NSDictionary *)try_encryptedMessageForMessageSend:(OWSMessageSend *)messageSend
+                                            deviceId:(NSNumber *)deviceId
+                                           plainText:(NSData *)plainText
+                                         transaction:(YapDatabaseReadWriteTransaction *)transaction
 {
     OWSAssertDebug(messageSend);
     OWSAssertDebug(deviceId);
@@ -1658,17 +1659,18 @@ NSString *const OWSMessageSenderRateLimitedException = @"RateLimitedException";
             OWSRaiseException(@"SecretSessionCipherFailure", @"Can't create secret session cipher.");
         }
 
-        serializedMessage = [secretCipher encryptMessageWithRecipientId:recipientId
-                                                               deviceId:deviceId.intValue
-                                                        paddedPlaintext:[plainText paddedMessageBody]
-                                                      senderCertificate:messageSend.senderCertificate
-                                                        protocolContext:transaction
-                                                                  error:&error];
+        serializedMessage = [secretCipher trywrapped_encryptMessageWithRecipientId:recipientId
+                                                                          deviceId:deviceId.intValue
+                                                                   paddedPlaintext:[plainText paddedMessageBody]
+                                                                 senderCertificate:messageSend.senderCertificate
+                                                                   protocolContext:transaction
+                                                                             error:&error];
+        SCKRaiseIfExceptionWrapperError(error);
         messageType = TSUnidentifiedSenderMessageType;
     } else {
         // This may throw an exception.
         id<CipherMessage> encryptedMessage =
-            [cipher encryptMessage:[plainText paddedMessageBody] protocolContext:transaction];
+            [cipher try_encryptMessage:[plainText paddedMessageBody] protocolContext:transaction];
         serializedMessage = encryptedMessage.serialized;
         messageType = [self messageTypeForCipherMessage:encryptedMessage];
     }
@@ -1680,7 +1682,7 @@ NSString *const OWSMessageSenderRateLimitedException = @"RateLimitedException";
                                                device:[deviceId intValue]
                                               content:serializedMessage
                                              isSilent:isSilent
-                                       registrationId:[cipher remoteRegistrationId:transaction]];
+                                       registrationId:[cipher try_remoteRegistrationId:transaction]];
 
     NSError *error;
     NSDictionary *jsonDict = [MTLJSONAdapter JSONDictionaryFromModel:messageParams error:&error];