diff --git a/test/sharness/t0021-config.sh b/test/sharness/t0021-config.sh
index f510d451d..407447ed3 100755
--- a/test/sharness/t0021-config.sh
+++ b/test/sharness/t0021-config.sh
@@ -77,10 +77,12 @@ test_config_cmd() {
   '
 
   test_expect_success "output looks good" '
-       echo "Error: cannot show private key through API" > ident_exp &&
+       echo "Error: cannot show or change private key through API" > ident_exp &&
        test_cmp ident_exp ident_out
   '
 
+  # SECURITY
+  # Those tests are here to prevent exposing the PrivKey on the network
   test_expect_success "'ipfs config Identity.PrivKey' fails" '
        test_expect_code 1 ipfs config Identity.PrivKey 2> ident_out
   '
@@ -88,6 +90,16 @@ test_config_cmd() {
   test_expect_success "output looks good" '
        test_cmp ident_exp ident_out
   '
+
+  test_expect_success "'ipfs config show' doesn't include privkey" '
+       ipfs config show > show_config &&
+       grep PrivKey show_config | grep "\"PrivKey\": null"
+  '
+
+  test_expect_success "'ipfs config replace' injects privkey back" '
+       ipfs config replace show_config &&
+	   grep PrivKey "$IPFS_PATH/config" | grep -v ": null" >/dev/null
+  '
 }
 
 test_init_ipfs