diff --git a/internal/chain/service_encryption_test.go b/internal/chain/service_encryption_test.go
new file mode 100644
index 0000000..1a59b8c
--- /dev/null
+++ b/internal/chain/service_encryption_test.go
@@ -0,0 +1,46 @@
+package chain
+
+import (
+	"testing"
+
+	tocrypto "github.com/tolelom/tolchain/crypto"
+)
+
+func TestEncryptDecryptV2_Roundtrip(t *testing.T) {
+	s := newTestService()
+	priv, _, err := tocrypto.GenerateKeyPair()
+	if err != nil {
+		t.Fatal(err)
+	}
+	cipherHex, nonceHex, saltHex, err := s.encryptPrivKeyV2(priv, 42)
+	if err != nil {
+		t.Fatal(err)
+	}
+	got, err := s.decryptPrivKeyV2(cipherHex, nonceHex, saltHex, 42)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if got.Hex() != priv.Hex() {
+		t.Errorf("roundtrip mismatch: got %s, want %s", got.Hex(), priv.Hex())
+	}
+}
+
+func TestDecryptV2_WrongUserID_Fails(t *testing.T) {
+	s := newTestService()
+	priv, _, _ := tocrypto.GenerateKeyPair()
+	cipherHex, nonceHex, saltHex, _ := s.encryptPrivKeyV2(priv, 42)
+	_, err := s.decryptPrivKeyV2(cipherHex, nonceHex, saltHex, 99)
+	if err == nil {
+		t.Error("expected error for wrong userID")
+	}
+}
+
+func TestV1V2_DifferentCiphertext(t *testing.T) {
+	s := newTestService()
+	priv, _, _ := tocrypto.GenerateKeyPair()
+	v1cipher, _, _ := s.encryptPrivKey(priv)
+	v2cipher, _, _, _ := s.encryptPrivKeyV2(priv, 1)
+	if v1cipher == v2cipher {
+		t.Error("v1 and v2 should produce different ciphertext")
+	}
+}