diff --git a/tests/Sanity/basic-sanity/runtest.sh b/tests/Sanity/basic-sanity/runtest.sh
index d1e6c27..5ea92c8 100755
--- a/tests/Sanity/basic-sanity/runtest.sh
+++ b/tests/Sanity/basic-sanity/runtest.sh
@@ -49,25 +49,22 @@ PACKAGES="${PACKAGES:-volume_key}"
 REQUIRES="${REQUIRES:-cryptsetup nss-tools expect tcllib}"
 
 _GNUPG_DIR="${HOME}/.gnupg"
-_IMAGE="image"
+_IMAGE="${_IMAGE:-image}"
 _IMAGE_IMG="${_IMAGE}.img"
-_PACKET="packet"
-_NEW_PACKET="new-packet"
-_PACKET_ASYM="packet-asym"
-_NEW_PACKET_ASYM="new-packet-asym"
-_ESCROW="escrow"
-_ESCROW_KEY="${_ESCROW}.key"
-_ESCROW_CERT="${_ESCROW}.cert"
+_PACKET="${_PACKET:-packet}"
+_NEW_PACKET="${_NEW_PACKET:-new-packet}"
+_PACKET_ASYM="${_PACKET_ASYM:-packet-asym}"
+_NEW_PACKET_ASYM="${_NEW_PACKET_ASYM:-new-packet-asym}"
+_ESCROW="${_ESCROW:-escrow}"
 _ESCROW_PEM="${_ESCROW}.pem"
-_ESCROW_P12="${_ESCROW}.p12"
-_NSSDB="nssdb"
+_NSSDB="${_NSSDB:-nssdb}"
 
-_LUKS_PASS="lukspass"
-_PACKET_PASS="packetpass"
-_NEW_PACKET_PASS="newpacketpass"
-_CERT_PASS="certpass"
-_NEW_LUKS_PASS="newlukspass"
-_NEW_LUKS_PASS_ASYM="newlukspass-asym"
+_LUKS_PASS="${_LUKS_PASS:-lukspass}"
+_PACKET_PASS="${_PACKET_PASS:-packetpass}"
+_NEW_PACKET_PASS="${_NEW_PACKET_PASS:-newpacketpass}"
+_CERT_PASS="${_CERT_PASS:-certpass}"
+_NEW_LUKS_PASS="${_NEW_LUKS_PASS:-newlukspass}"
+_NEW_LUKS_PASS_ASYM="${_NEW_LUKS_PASS_ASYM:-newlukspass-asym}"
 
 _TEMP_DIR=""
 _VOLUME=""
@@ -167,4 +164,191 @@ function TestVolumeKeyRestore() {
 }
 AddTest TestVolumeKeyRestore "restore"
 
+function TestVolumeKeySetupVolume() {
+  rlAssertExists "${_PACKET}" || return $?
+
+  ClearGpgAgentsCache
+  RunCmdViaExpect
+    Command volume_key --setup-volume "${_VOLUME}" "${_PACKET}" "${_IMAGE}"
+    Input --packetpass "${_PACKET_PASS}"
+    Input ${USING_PINENTRY:+--pinentry}
+  FinishRun || return $?
+
+  RunCmd ls -la /dev/mapper
+  rlAssertExists "/dev/mapper/${_IMAGE}"
+
+  RunCmd cryptsetup luksClose "${_IMAGE}"
+}
+AddTest TestVolumeKeySetupVolume "setup-volume"
+
+function TestVolumeKeyReencrypt() {
+  rlAssertExists "${_PACKET}" || return $?
+
+  ClearGpgAgentsCache
+  RunCmdViaExpect
+    Command volume_key --reencrypt "${_PACKET}" -o "${_NEW_PACKET}"
+    Input --packetpass "${_PACKET_PASS}"
+    Input --newpacketpass "${_NEW_PACKET_PASS}"
+    Input ${USING_PINENTRY:+--pinentry}
+  FinishRun || return $?
+
+  ClearGpgAgentsCache
+  RunCmdViaExpect
+    Command volume_key --setup-volume "${_VOLUME}" "${_NEW_PACKET}" "${_IMAGE}"
+    Input --packetpass "${_NEW_PACKET_PASS}"
+    Input ${USING_PINENTRY:+--pinentry}
+  FinishRun || return $?
+
+  RunCmd ls -la /dev/mapper
+  rlAssertExists "/dev/mapper/${_IMAGE}"
+
+  RunCmd cryptsetup luksClose "${_IMAGE}"
+}
+AddTest TestVolumeKeyReencrypt "reencrypt"
+
+function TestVolumeKeyDump() {
+  local __uuid=""
+
+  rlAssertExists "${_PACKET}" || return $?
+
+  ClearGpgAgentsCache
+  RunCmdViaExpect
+    rlRunOptions -s
+    Command volume_key --dump "${_PACKET}"
+    Input --packetpass "${_PACKET_PASS}"
+    Input ${USING_PINENTRY:+--pinentry}
+  FinishRun || return $?
+
+  __uuid="$(blkid -o value -s UUID "${_VOLUME}")"
+
+  rlAssertGrep '^Packet format:\W+Passphrase-encrypted' "${rlRun_LOG}" -E
+  rlAssertGrep '^Volume format:\W+crypt_LUKS' "${rlRun_LOG}" -E
+  rlAssertGrep "^Volume UUID:\W+${__uuid}" "${rlRun_LOG}" -E
+  rlAssertGrep "^Volume path:\W+${_VOLUME}" "${rlRun_LOG}" -E
+}
+AddTest TestVolumeKeyDump "dump"
+
+function TestVolumeKeySecrets() {
+  rlAssertExists "${_PACKET}" || return $?
+
+  ClearGpgAgentsCache
+  RunCmdViaExpect
+    rlRunOptions -s
+    Command volume_key --secrets "${_PACKET}"
+    Input --packetpass "${_PACKET_PASS}"
+    Input ${USING_PINENTRY:+--pinentry}
+  FinishRun || return $?
+
+  rlAssertGrep 'Data encryption key:\W+[0-9A-F]+' "${rlRun_LOG}" -E
+}
+AddTest TestVolumeKeySecrets "secrets"
+
+function TestVolumeKeySaveAsymmetric() {
+  RunCmdViaExpect
+    Command volume_key 
+    Command   --save "${_VOLUME}" --output-format=asymmetric
+    Command   -c "${_ESCROW_PEM}" -o "${_PACKET_ASYM}"
+    Input --lukspass "${_LUKS_PASS}"
+  FinishRun
+}
+AddTest TestVolumeKeySaveAsymmetric "save asymmetric"
+
+function TestVolumeKeyRestoreAsymmetric() {
+  rlAssertExists "${_PACKET_ASYM}" || return $?
+
+  RunCmdViaExpect
+    Command volume_key --restore "${_VOLUME}" "${_PACKET_ASYM}" -d "${_NSSDB}"
+    Input --certpass "${_CERT_PASS}"
+    Input --lukspass "${_NEW_LUKS_PASS_ASYM}"
+  FinishRun || return $?
+
+  RunCmdViaExpect
+    Command cryptsetup luksOpen "${_VOLUME}" "${_IMAGE}"
+    Input --password "${_NEW_LUKS_PASS_ASYM}"
+  FinishRun || return $?
+
+  RunCmd ls -la /dev/mapper
+  rlAssertExists "/dev/mapper/${_IMAGE}"
+
+  RunCmd cryptsetup luksClose "${_IMAGE}"
+}
+AddTest TestVolumeKeyRestoreAsymmetric "restore asymmetric"
+
+function TestVolumeKeySetupVolumeAsymmetric() {
+  rlAssertExists "${_PACKET_ASYM}" || return $?
+
+  RunCmdViaExpect
+    Command volume_key
+    Command   --setup-volume "${_VOLUME}" "${_PACKET_ASYM}" "${_IMAGE}"
+    Command   -d "${_NSSDB}"
+    Input --certpass "${_CERT_PASS}"
+  FinishRun || return $?
+
+  RunCmd ls -la /dev/mapper
+  rlAssertExists "/dev/mapper/${_IMAGE}"
+
+  RunCmd cryptsetup luksClose "${_IMAGE}"
+}
+AddTest TestVolumeKeySetupVolumeAsymmetric "setup-volume asymmetric"
+
+function TestVolumeKeyReencryptAsymmetric() {
+  rlAssertExists "${_PACKET_ASYM}" || return $?
+
+  ClearGpgAgentsCache
+  RunCmdViaExpect
+    Command volume_key --reencrypt
+    Command   -d "${_NSSDB}" "${_PACKET_ASYM}" -o "${_NEW_PACKET_ASYM}"
+    Input --certpass "${_CERT_PASS}"
+    Input --newpacketpass "${_NEW_PACKET_PASS}"
+    Input ${USING_PINENTRY:+--pinentry}
+  FinishRun || return $?
+
+  ClearGpgAgentsCache
+  RunCmdViaExpect
+    Command volume_key
+    Command   --setup-volume "${_VOLUME}" "${_NEW_PACKET_ASYM}" "${_IMAGE}"
+    Input --packetpass "${_NEW_PACKET_PASS}"
+    Input ${USING_PINENTRY:+--pinentry}
+  FinishRun || return $?
+
+  RunCmd ls -la /dev/mapper
+  rlAssertExists "/dev/mapper/${_IMAGE}"
+
+  RunCmd cryptsetup luksClose "${_IMAGE}"
+}
+AddTest TestVolumeKeyReencryptAsymmetric "reencrypt asymmetric"
+
+function TestVolumeKeyDumpAsymmetric() {
+  local __uuid=""
+
+  rlAssertExists "${_PACKET_ASYM}" || return $?
+
+  RunCmdViaExpect
+    rlRunOptions -s
+    Command volume_key --dump "${_PACKET_ASYM}" -d "${_NSSDB}"
+    Input --certpass "${_CERT_PASS}"
+  FinishRun || return $?
+
+  __uuid="$(blkid -o value -s UUID "${_VOLUME}")"
+
+  rlAssertGrep '^Packet format:\W+Public key-encrypted' "${rlRun_LOG}" -E
+  rlAssertGrep '^Volume format:\W+crypt_LUKS' "${rlRun_LOG}" -E
+  rlAssertGrep "^Volume UUID:\W+${__uuid}" "${rlRun_LOG}" -E
+  rlAssertGrep "^Volume path:\W+${_VOLUME}" "${rlRun_LOG}" -E
+}
+AddTest TestVolumeKeyDumpAsymmetric "dump asymmetric"
+
+function TestVolumeKeySecretsAsymmetric() {
+  rlAssertExists "${_PACKET_ASYM}" || return $?
+
+  RunCmdViaExpect
+    rlRunOptions -s
+    Command volume_key --secrets "${_PACKET_ASYM}" -d "${_NSSDB}"
+    Input --certpass "${_CERT_PASS}"
+  FinishRun || return $?
+
+  rlAssertGrep 'Data encryption key:\W+[0-9A-F]+' "${rlRun_LOG}" -E
+}
+AddTest TestVolumeKeySecretsAsymmetric "secrets asymmetric"
+
 RunTest
diff --git a/tests/utils/common.tcl b/tests/utils/common.tcl
index 2b1117b..f9362b5 100644
--- a/tests/utils/common.tcl
+++ b/tests/utils/common.tcl
@@ -23,6 +23,15 @@
 #
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
+proc oneof {l1 l2} {
+  foreach x $l1 {
+    if {$x in $l2} {
+      return 1
+    }
+  }
+  return 0
+}
+
 proc verify_password {password} {
   if {$password == ""} {
     return -code error "password required!"
diff --git a/tests/utils/volume_key.exp b/tests/utils/volume_key.exp
index 20efc00..82ae878 100755
--- a/tests/utils/volume_key.exp
+++ b/tests/utils/volume_key.exp
@@ -29,8 +29,10 @@ package require cmdline
 source [file join [file dirname [info script]] "common.tcl"]
 
 set options {
+  {certpass.arg "" "Password for certificate"}
   {lukspass.arg "" "Password for LUKS encryption/decryption"}
   {packetpass.arg "" "Password for escrow packet encryption/decryption"}
+  {newpacketpass.arg "" "New password for escrow packet reencryption"}
   {pinentry "gpg-agent may ask for password via pinentry"}
 }
 
@@ -48,10 +50,19 @@ if {[catch {
   exit 1
 }
 
+set certpass $params(certpass)
 set lukspass $params(lukspass)
 set packetpass $params(packetpass)
+set newpacketpass $params(newpacketpass)
 set pinentry $params(pinentry)
 
+proc prompt_cert_password {password} {
+  verify_password $password
+  expect -re "Enter password for.*"
+  sleep 1
+  send -- "$password\r"
+}
+
 proc prompt_luks_password {password} {
   verify_password $password
   expect -re "Passphrase for.*"
@@ -100,12 +111,33 @@ proc prompt_new_packet_password {password pinentry} {
 }
 
 eval spawn volume_key $::argv
-if {"--save" in $::argv} {
-  prompt_luks_password $lukspass
-  prompt_new_packet_password $packetpass $pinentry
+if {"--reencrypt" in $::argv} {
+  if {"-d" in $::argv} {
+    prompt_cert_password $certpass
+  } else {
+    prompt_packet_password $packetpass $pinentry
+  }
+  prompt_new_packet_password $newpacketpass $pinentry
   expect eof
 } elseif {"--restore" in $::argv} {
-  prompt_packet_password $packetpass $pinentry
+  if {"-d" in $::argv} {
+    prompt_cert_password $certpass
+  } else {
+    prompt_packet_password $packetpass $pinentry
+  }
   prompt_new_luks_password $lukspass
   expect eof
+} elseif {"--save" in $::argv} {
+  prompt_luks_password $lukspass
+  if {"-c" ni $::argv} {
+    prompt_new_packet_password $packetpass $pinentry
+  }
+  expect eof
+} elseif {[oneof {"--dump" "--secrets" "--setup-volume"} $::argv]} {
+  if {"-d" in $::argv} {
+    prompt_cert_password $certpass
+  } else {
+    prompt_packet_password $packetpass $pinentry
+  }
+  expect eof
 }