diff --git a/tests/from-nixos.nix b/tests/from-nixos.nix
index 05f1f686..875a092d 100644
--- a/tests/from-nixos.nix
+++ b/tests/from-nixos.nix
@@ -34,6 +34,10 @@
       start_all()
       installer.succeed("mkdir -p /tmp/extra-files/var/lib/secrets")
       installer.succeed("echo value > /tmp/extra-files/var/lib/secrets/key")
+      installer.succeed("mkdir -p /tmp/extra-files/home/user/.ssh")
+      installer.succeed("echo secretkey > /tmp/extra-files/home/user/.ssh/id_ed25519")
+      installer.succeed("echo publickey > /tmp/extra-files/home/user/.ssh/id_ed25519.pub")
+      installer.succeed("chmod 600 /tmp/extra-files/home/user/.ssh/id_ed25519")
       ssh_key_path = "/etc/ssh/ssh_host_ed25519_key.pub"
       ssh_key_output = installer.wait_until_succeeds(f"""
         ssh -i /root/.ssh/install_key -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
@@ -46,6 +50,7 @@
           --kexec /etc/nixos-anywhere/kexec-installer \
           --extra-files /tmp/extra-files \
           --store-paths /etc/nixos-anywhere/disko /etc/nixos-anywhere/system-to-install \
+          --chown /home/user 1000:100 \
           --copy-host-keys \
           root@installed >&2
       """)
@@ -62,6 +67,10 @@
       assert "value" == content, f"secret does not have expected value: {content}"
       ssh_key_content = new_machine.succeed(f"cat {ssh_key_path}").strip()
       assert ssh_key_content in ssh_key_output, "SSH host identity changed"
+      priv_key_perms = new_machine.succeed("stat -c %a /home/user/.ssh/").strip()
+      assert priv_key_perms == "600", f"unexpected permissions for private key: {priv_key_perms}"
+      user_dir_ownership = new_machine.succeed("stat -c %u:%g /home/user").strip()
+      assert user_dir_ownership == "1000:100", f"unexpected user home dir permissions: {user_dir_ownership}"
     '';
   }
 )