diff --git a/tests/hkdf_sanity/broken_content/gocryptfs.conf b/tests/hkdf_sanity/broken_content/gocryptfs.conf
new file mode 100644
index 0000000..205f3ad
--- /dev/null
+++ b/tests/hkdf_sanity/broken_content/gocryptfs.conf
@@ -0,0 +1,17 @@
+{
+	"Creator": "gocryptfs v1.2.1-32-g14038a1-dirty",
+	"EncryptedKey": "b3888jnQC5GYem+YGtUkOTS13/YCOfA6J0/bkftfEoNA9fZTN2xMGw4c+LK+emg4L6P2wGvm44RUqCfFfgowxw==",
+	"ScryptObject": {
+		"Salt": "7YnR8bF7TzYNP5mIwmpQ1qj4e/QZkbH92Hx7YQctIZQ=",
+		"N": 1024,
+		"R": 8,
+		"P": 1,
+		"KeyLen": 32
+	},
+	"Version": 2,
+	"FeatureFlags": [
+		"GCMIV128",
+		"HKDF",
+		"PlaintextNames"
+	]
+}
diff --git a/tests/hkdf_sanity/broken_content/status.txt b/tests/hkdf_sanity/broken_content/status.txt
new file mode 100644
index 0000000..30d42f7
Binary files /dev/null and b/tests/hkdf_sanity/broken_content/status.txt differ
diff --git a/tests/hkdf_sanity/broken_names/L3yg-cJYAInDGg4TcjXrnw b/tests/hkdf_sanity/broken_names/L3yg-cJYAInDGg4TcjXrnw
new file mode 100644
index 0000000..7ba2789
Binary files /dev/null and b/tests/hkdf_sanity/broken_names/L3yg-cJYAInDGg4TcjXrnw differ
diff --git a/tests/hkdf_sanity/broken_names/gocryptfs.conf b/tests/hkdf_sanity/broken_names/gocryptfs.conf
new file mode 100644
index 0000000..f0b1509
--- /dev/null
+++ b/tests/hkdf_sanity/broken_names/gocryptfs.conf
@@ -0,0 +1,20 @@
+{
+	"Creator": "gocryptfs v1.2.1-32-g14038a1-dirty",
+	"EncryptedKey": "0ymk/BtKEN1KmRLMquLinLIzXDaf+GLuP2f9R4VbLOglim9nXd5WxkCFl0DQg0J2FtCEke9MQBaCfL5OTJdR4g==",
+	"ScryptObject": {
+		"Salt": "tCrF2o5GoOyQt0LAlCWk47hyJsF5K6ID9uPzjTSBbh8=",
+		"N": 1024,
+		"R": 8,
+		"P": 1,
+		"KeyLen": 32
+	},
+	"Version": 2,
+	"FeatureFlags": [
+		"GCMIV128",
+		"HKDF",
+		"DirIV",
+		"EMENames",
+		"LongNames",
+		"Raw64"
+	]
+}
diff --git a/tests/hkdf_sanity/broken_names/gocryptfs.diriv b/tests/hkdf_sanity/broken_names/gocryptfs.diriv
new file mode 100644
index 0000000..24f3d28
--- /dev/null
+++ b/tests/hkdf_sanity/broken_names/gocryptfs.diriv
@@ -0,0 +1 @@
+ï%C´×xõ(E£!½dÑ†
\ No newline at end of file
diff --git a/tests/hkdf_sanity/sanity_test.go b/tests/hkdf_sanity/sanity_test.go
new file mode 100644
index 0000000..b382861
--- /dev/null
+++ b/tests/hkdf_sanity/sanity_test.go
@@ -0,0 +1,34 @@
+// We test two filesystems that have the "HKDF" feature flag in their config file
+// set, but the actual file contents and names are encrypted with HKDF disabled.
+// This test verifies that the "HKDF" feature flag in the config file takes effect.
+package hkdf_sanity
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/rfjakob/gocryptfs/tests/test_helpers"
+)
+
+func TestBrokenContent(t *testing.T) {
+	cDir := "broken_content"
+	pDir := test_helpers.TmpDir + "/" + cDir
+	test_helpers.MountOrFatal(t, cDir, pDir, "-extpass", "echo test", "-wpanic=false")
+	_, err := ioutil.ReadFile(pDir + "/status.txt")
+	if err == nil {
+		t.Error("this should fail")
+	}
+	test_helpers.UnmountPanic(pDir)
+}
+
+func TestBrokenNames(t *testing.T) {
+	cDir := "broken_names"
+	pDir := test_helpers.TmpDir + "/" + cDir
+	test_helpers.MountOrFatal(t, cDir, pDir, "-extpass", "echo test", "-wpanic=false")
+	_, err := os.Stat(pDir + "/status.txt")
+	if err == nil {
+		t.Error("this should fail")
+	}
+	test_helpers.UnmountPanic(pDir)
+}