diff --git a/nixos/tests/syncthing/folders.nix b/nixos/tests/syncthing/folders.nix
index d31d1e6a95c40b8..ce6dd8fb07b661a 100644
--- a/nixos/tests/syncthing/folders.nix
+++ b/nixos/tests/syncthing/folders.nix
@@ -7,6 +7,8 @@ import ../make-test-python.nix ({ lib, pkgs, ... }:
     '';
     idA = genNodeId "a";
     idB = genNodeId "b";
+    idC = genNodeId "c";
+    testPasswordFile = pkgs.writeText "syncthing-test-password" "it's a secret";
   in
   {
     name = "syncthing";
@@ -20,13 +22,16 @@ import ../make-test-python.nix ({ lib, pkgs, ... }:
           cert = "${idA}/cert.pem";
           key = "${idA}/key.pem";
           settings = {
-            devices.b = {
-              id = lib.fileContents "${idB}/id";
-            };
+            devices.b.id = lib.fileContents "${idB}/id";
+            devices.c.id = lib.fileContents "${idC}/id";
             folders.foo = {
               path = "/var/lib/syncthing/foo";
               devices = [ "b" ];
             };
+            folders.bar = {
+              path = "/var/lib/syncthing/bar";
+              devices.c.encryptionPassword = "${testPasswordFile}";
+            };
           };
         };
       };
@@ -37,13 +42,33 @@ import ../make-test-python.nix ({ lib, pkgs, ... }:
           cert = "${idB}/cert.pem";
           key = "${idB}/key.pem";
           settings = {
-            devices.a = {
-              id = lib.fileContents "${idA}/id";
-            };
+            devices.a.id = lib.fileContents "${idA}/id";
+            devices.c.id = lib.fileContents "${idC}/id";
             folders.foo = {
               path = "/var/lib/syncthing/foo";
               devices = [ "a" ];
             };
+            folders.bar = {
+              path = "/var/lib/syncthing/bar";
+              devices.c.encryptionPassword = "${testPasswordFile}";
+            };
+          };
+        };
+      };
+      c = {
+        services.syncthing = {
+          enable = true;
+          openDefaultPorts = true;
+          cert = "${idC}/cert.pem";
+          key = "${idC}/key.pem";
+          settings = {
+            devices.a.id = lib.fileContents "${idA}/id";
+            devices.b.id = lib.fileContents "${idB}/id";
+            folders.bar = {
+              path = "/var/lib/syncthing/bar";
+              devices = [ "a" "b" ];
+              type = "receiveencrypted";
+            };
           };
         };
       };
@@ -51,15 +76,38 @@ import ../make-test-python.nix ({ lib, pkgs, ... }:
 
     testScript = ''
       start_all()
+
       a.wait_for_unit("syncthing.service")
       b.wait_for_unit("syncthing.service")
+      c.wait_for_unit("syncthing.service")
       a.wait_for_open_port(22000)
       b.wait_for_open_port(22000)
+      c.wait_for_open_port(22000)
+
+      # Test foo
+
       a.wait_for_file("/var/lib/syncthing/foo")
       b.wait_for_file("/var/lib/syncthing/foo")
+
       a.succeed("echo a2b > /var/lib/syncthing/foo/a2b")
       b.succeed("echo b2a > /var/lib/syncthing/foo/b2a")
+
       a.wait_for_file("/var/lib/syncthing/foo/b2a")
       b.wait_for_file("/var/lib/syncthing/foo/a2b")
+
+      # Test bar
+
+      a.wait_for_file("/var/lib/syncthing/bar")
+      b.wait_for_file("/var/lib/syncthing/bar")
+      c.wait_for_file("/var/lib/syncthing/bar")
+
+      a.succeed("echo plaincontent > /var/lib/syncthing/bar/plainname")
+
+      # B should be able to decrypt, check that content of file matches
+      b.wait_for_file("/var/lib/syncthing/bar/plainname")
+      b.succeed("grep plaincontent /var/lib/syncthing/bar/plainname")
+
+      # Bar on C is untrusted, check that content is not in cleartext
+      c.fail("grep -R plaincontent /var/lib/syncthing/bar")
     '';
   })