diff --git a/config.go b/config.go
index c21577f8..f6e147dc 100644
--- a/config.go
+++ b/config.go
@@ -71,6 +71,9 @@ func FromConfig(conf Config) (*FS, error) {
 		if conf.Encryption.GPG.PublicPath != "" && conf.Encryption.GPG.PrivatePath != "" {
 			cryptor, err = NewGPGCryptorFile(conf.Encryption.GPG.PublicPath, conf.Encryption.GPG.PrivatePath, password)
 		}
+
+	case conf.Encryption.Vault != nil:
+		cryptor, err = NewVaultCryptor(*conf.Encryption.Vault)
 	}
 	if err != nil {
 		return nil, fmt.Errorf("cryptor from config: %w", err)
diff --git a/config_test.go b/config_test.go
index 91fc8a2e..750a30ba 100644
--- a/config_test.go
+++ b/config_test.go
@@ -18,6 +18,7 @@
 package cryptfs
 
 import (
+	"fmt"
 	"path/filepath"
 	"strings"
 	"testing"
@@ -31,6 +32,8 @@ func TestFromConfig(t *testing.T) {
 	t.Run("zero value", func(t *testing.T) {
 		fsys, err := FromConfig(conf)
 		require.NoError(t, err)
+		require.Equal(t, "*cryptfs.nothingCryptor", fmt.Sprintf("%T", fsys.cryptor))
+
 		testCryptFS(t, fsys)
 	})
 
@@ -40,6 +43,8 @@ func TestFromConfig(t *testing.T) {
 
 		fsys, err := FromConfig(conf)
 		require.NoError(t, err)
+		require.Equal(t, "*cryptfs.nothingCryptor", fmt.Sprintf("%T", fsys.cryptor))
+
 		testCryptFS(t, fsys)
 	})
 
@@ -50,6 +55,8 @@ func TestFromConfig(t *testing.T) {
 
 		fsys, err := FromConfig(conf)
 		require.NoError(t, err)
+		require.Equal(t, "*cryptfs.AESCryptor", fmt.Sprintf("%T", fsys.cryptor))
+
 		testCryptFS(t, fsys)
 	})
 
@@ -83,6 +90,7 @@ func TestFromConfig(t *testing.T) {
 
 		fsys, err = FromConfig(conf)
 		require.NoError(t, err)
+		require.Equal(t, "*cryptfs.GPGCryptor", fmt.Sprintf("%T", fsys.cryptor))
 
 		bs, err := fsys.ReadFile(path)
 		require.NoError(t, err)
@@ -99,10 +107,14 @@ func TestFromConfig(t *testing.T) {
 
 		fsys, err := FromConfig(conf)
 		require.NoError(t, err)
+		require.Equal(t, "*cryptfs.GPGCryptor", fmt.Sprintf("%T", fsys.cryptor))
+
 		testCryptFS(t, fsys)
 	})
 
 	t.Run("Vault", func(t *testing.T) {
+		shouldSkipDockerTest(t)
+
 		conf.Encryption.GPG = nil
 		conf.Encryption.Vault = &VaultConfig{
 			Address: "http://localhost:8200",
@@ -114,6 +126,8 @@ func TestFromConfig(t *testing.T) {
 
 		fsys, err := FromConfig(conf)
 		require.NoError(t, err)
+		require.Equal(t, "*cryptfs.VaultCryptor", fmt.Sprintf("%T", fsys.cryptor))
+
 		testCryptFS(t, fsys)
 	})
 }
diff --git a/cryptor_vault_test.go b/cryptor_vault_test.go
index 26672e9d..40c349a0 100644
--- a/cryptor_vault_test.go
+++ b/cryptor_vault_test.go
@@ -28,11 +28,8 @@ import (
 )
 
 func TestVaultCryptor(t *testing.T) {
-	isGithubCI := os.Getenv("GITHUB_ACTIONS") != ""
-	isLinux := runtime.GOOS == "linux"
-	if isGithubCI && !isLinux {
-		t.Skipf("docker is not supported on %s github runners", runtime.GOOS)
-	}
+	shouldSkipDockerTest(t)
+
 	if testing.Short() {
 		t.Skip("skipping network tests")
 	}
@@ -69,3 +66,13 @@ func TestVaultCryptor(t *testing.T) {
 		require.Equal(t, input, bs)
 	})
 }
+
+func shouldSkipDockerTest(t *testing.T) {
+	t.Helper()
+
+	isGithubCI := os.Getenv("GITHUB_ACTIONS") != ""
+	isLinux := runtime.GOOS == "linux"
+	if isGithubCI && !isLinux {
+		t.Skipf("docker is not supported on %s github runners", runtime.GOOS)
+	}
+}