diff --git a/scripts/encrypt-decrypt.sh b/scripts/encrypt-decrypt.sh
index 7301629..bfad6e6 100755
--- a/scripts/encrypt-decrypt.sh
+++ b/scripts/encrypt-decrypt.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-set -euxo pipefail
+set -Eeuxo pipefail
 
 /etc/init.d/pcscd start
 
@@ -13,7 +13,18 @@ echo 12345678 > admin-pin
 echo 123456 > user-pin
 oct admin --card 0000:00000000 --admin-pin admin-pin generate --user-pin user-pin --output /tmp/no-need-for-this --userid 'No need for that' curve25519
 
-age-plugin-openpgp-card | tee identity.txt
-grep -oh "age1.*" identity.txt > recipients.txt
-echo I like strawberries | rage -R recipients.txt -a | tee encrypted.age
-rage -d -i identity.txt < encrypted.age
+function roundtrip {
+  age-plugin-openpgp-card | tee identity.txt
+  grep -oh "age1.*" identity.txt > recipients.txt
+  echo I like strawberries > message.txt
+  < message.txt rage -R recipients.txt -a | tee encrypted.age
+  rage -d -i identity.txt < encrypted.age > decrypted.txt
+  cmp --silent message.txt decrypted.txt
+}
+
+# test encryption/decryption without KDF
+roundtrip
+
+# test encryption/decryption with KDF
+oct system kdf-setup --card 0000:00000000
+roundtrip