diff --git a/config/config_test.go b/config/config_test.go
index 5db731c4dd..6b39224fdf 100644
--- a/config/config_test.go
+++ b/config/config_test.go
@@ -100,6 +100,7 @@ creation_rules:
     unencrypted_suffix: _unencrypted
   - path_regex: bar?foo$
     encrypted_suffix: _enc
+    encrypted_selector: data.foo
     key_groups:
       - kms:
           - arn: baz
@@ -234,6 +235,12 @@ func TestLoadConfigFileWithEncryptedSuffix(t *testing.T) {
 	assert.Equal(t, "_enc", conf.EncryptedSuffix)
 }
 
+func TestLoadConfigFileWithEncryptedSelector(t *testing.T) {
+	conf, err := loadForFileFromBytes(sampleConfigWithSuffixParameters, "barfoo", nil)
+	assert.Equal(t, nil, err)
+	assert.Equal(t, "data.foo", conf.EncryptedSelector)
+}
+
 func TestLoadConfigFileWithInvalidParameters(t *testing.T) {
 	_, err := loadForFileFromBytes(sampleConfigWithInvalidParameters, "foobar", nil)
 	assert.NotNil(t, err)
diff --git a/sops_test.go b/sops_test.go
index 84a767a8b3..195bf1776c 100644
--- a/sops_test.go
+++ b/sops_test.go
@@ -133,6 +133,58 @@ func TestEncryptedSuffix(t *testing.T) {
 	}
 }
 
+
+func TestEncryptedSelector(t *testing.T) {
+	branch := TreeBranch{
+		TreeItem{
+			Key:   "foo_encrypted",
+			Value: "bar",
+		},
+		TreeItem{
+			Key: "bar",
+			Value: TreeBranch{
+				TreeItem{
+					Key:   "foo",
+					Value: "bar",
+				},
+			},
+		},
+	}
+	tree := Tree{Branch: branch, Metadata: Metadata{EncryptedSelector: "bar.foo"}}
+	expected := TreeBranch{
+		TreeItem{
+			Key:   "foo_encrypted",
+			Value: "rab",
+		},
+		TreeItem{
+			Key: "bar",
+			Value: TreeBranch{
+				TreeItem{
+					Key:   "foo",
+					Value: "bar",
+				},
+			},
+		},
+	}
+	cipher := reverseCipher{}
+	_, err := tree.Encrypt(bytes.Repeat([]byte("f"), 32), cipher)
+	if err != nil {
+		t.Errorf("Encrypting the tree failed: %s", err)
+	}
+	if !reflect.DeepEqual(tree.Branch, expected) {
+		t.Errorf("Trees don't match: \ngot \t\t%+v,\n expected \t\t%+v", tree.Branch, expected)
+	}
+	_, err = tree.Decrypt(bytes.Repeat([]byte("f"), 32), cipher)
+	if err != nil {
+		t.Errorf("Decrypting the tree failed: %s", err)
+	}
+	expected[0].Value = "bar"
+	if !reflect.DeepEqual(tree.Branch, expected) {
+		t.Errorf("Trees don't match: \ngot\t\t\t%+v,\nexpected\t\t%+v", tree.Branch, expected)
+	}
+}
+
+
 type MockCipher struct{}
 
 func (m MockCipher) Encrypt(value interface{}, key []byte, path string) (string, error) {