diff --git a/pkgs/agenix.sh b/pkgs/agenix.sh
index afbfa4d..7a0f0ff 100644
--- a/pkgs/agenix.sh
+++ b/pkgs/agenix.sh
@@ -107,11 +107,13 @@ function edit {
     if [ -f "$FILE" ]
     then
         DECRYPT=("${DEFAULT_DECRYPT[@]}")
-        if [ -f "$HOME/.ssh/id_rsa" ]; then
-            DECRYPT+=(--identity "$HOME/.ssh/id_rsa")
-        fi
-        if [ -f "$HOME/.ssh/id_ed25519" ]; then
-            DECRYPT+=(--identity "$HOME/.ssh/id_ed25519")
+        if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
+            if [ -f "$HOME/.ssh/id_rsa" ]; then
+                DECRYPT+=(--identity "$HOME/.ssh/id_rsa")
+            fi
+            if [ -f "$HOME/.ssh/id_ed25519" ]; then
+                DECRYPT+=(--identity "$HOME/.ssh/id_ed25519")
+            fi
         fi
         if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
           echo "No identity found to decrypt $FILE. Try adding an SSH key at $HOME/.ssh/id_rsa or $HOME/.ssh/id_ed25519 or using the --identity flag to specify a file."
diff --git a/test/install_ssh_host_keys.nix b/test/install_ssh_host_keys.nix
index 927619c..06f1bbb 100644
--- a/test/install_ssh_host_keys.nix
+++ b/test/install_ssh_host_keys.nix
@@ -1,18 +1,24 @@
 # Do not copy this! It is insecure. This is only okay because we are testing.
-{
+{config, ...}: {
   system.activationScripts.agenixInstall.deps = ["installSSHHostKeys"];
 
   system.activationScripts.installSSHHostKeys.text = ''
+    USER1_UID="${toString config.users.users.user1.uid}"
+    USERS_GID="${toString config.users.groups.users.gid}"
+
     mkdir -p /etc/ssh /home/user1/.ssh
+    chown $USER1_UID:$USERS_GID /home/user1/.ssh
     (
       umask u=rw,g=r,o=r
       cp ${../example_keys/system1.pub} /etc/ssh/ssh_host_ed25519_key.pub
       cp ${../example_keys/user1.pub} /home/user1/.ssh/id_ed25519.pub
+      chown $USER1_UID:$USERS_GID /home/user1/.ssh/id_ed25519.pub
     )
     (
       umask u=rw,g=,o=
       cp ${../example_keys/system1} /etc/ssh/ssh_host_ed25519_key
       cp ${../example_keys/user1} /home/user1/.ssh/id_ed25519
+      chown $USER1_UID:$USERS_GID /home/user1/.ssh/id_ed25519
       touch /etc/ssh/ssh_host_rsa_key
     )
   '';
diff --git a/test/integration.nix b/test/integration.nix
index 772adea..4156b5e 100644
--- a/test/integration.nix
+++ b/test/integration.nix
@@ -39,6 +39,7 @@ pkgs.nixosTest {
         user1 = {
           isNormalUser = true;
           passwordFile = config.age.secrets.passwordfile-user1.path;
+          uid = 1000;
         };
       };
     };
@@ -78,5 +79,15 @@ pkgs.nixosTest {
         assert h[1] == "/tmp/secrets/passwordfile-user1.age", "filename is incorrect"
         assert len(h[0].strip()) == 64, "hash length is incorrect"
     assert before_hash[0] != after_hash[0], "hash did not change with rekeying"
+
+    userDo = lambda input : f"sudo -u user1 -- bash -c 'set -eou pipefail; cd /tmp/secrets; {input}'"
+
+    # user1 can edit passwordfile-user1.age
+    system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age"))
+
+    # user1 can edit even if bogus id_rsa present
+    system1.succeed(userDo("echo bogus > ~/.ssh/id_rsa"))
+    system1.fail(userDo("EDITOR=cat agenix -e passwordfile-user1.age"))
+    system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age -i /home/user1/.ssh/id_ed25519"))
   '';
 }