diff --git a/firmware/src/hal/sgx/test/secret_store/test_secret_store.c b/firmware/src/hal/sgx/test/secret_store/test_secret_store.c
index fc8cc444..2544eb23 100644
--- a/firmware/src/hal/sgx/test/secret_store/test_secret_store.c
+++ b/firmware/src/hal/sgx/test/secret_store/test_secret_store.c
@@ -544,6 +544,52 @@ void test_remove_fails_when_kvstore_remove_fails() {
     teardown();
 }
 
+void test_read_fails_wrong_type() {
+    test_fixture_t* fixture = setup("secret", 0xff);
+    printf("Test read fails when secret type is wrong...\n");
+
+    // Write the secret and make sure the seal API is called with the correct
+    // arguments
+    char* key = "key";
+    assert(sest_write(key,
+                      fixture->secret_type,
+                      fixture->secret_payload,
+                      fixture->payload_size));
+    assert_oe_seal_called_with(
+        NULL,
+        (const oe_seal_setting_t[]){OE_SEAL_SET_POLICY(1)},
+        1,
+        fixture->secret,
+        fixture->secret_size,
+        NULL,
+        0);
+    assert(sest_exists(key));
+    mock_ocall_kstore_assert_value(key, fixture->sealed_secret);
+
+    // Attempt to read the secret with the wrong type
+    uint8_t retrieved[MAX_SEST_READ_SIZE];
+    memset(retrieved, 0, sizeof(retrieved));
+    uint8_t retrieved_length =
+        sest_read(key, 0xee, retrieved, sizeof(retrieved));
+    assert_oe_unseal_called_with(
+        fixture->sealed_secret, fixture->sealed_size, NULL, 0);
+    assert(retrieved_length == SEST_ERROR);
+    ASSERT_ARRAY_CLEARED(retrieved);
+
+    // Try again with the correct type
+    retrieved_length =
+        sest_read(key, fixture->secret_type, retrieved, sizeof(retrieved));
+    assert_oe_unseal_called_with(
+        fixture->sealed_secret, fixture->sealed_size, NULL, 0);
+    printf("retrieved_length: %d\n", retrieved_length);
+    printf("fixture payload size: %ld\n", fixture->payload_size);
+    printf("retrieved: %s\n", retrieved);
+    printf("plaintext: %s\n", fixture->secret_payload);
+    assert(retrieved_length == fixture->payload_size);
+    ASSERT_MEMCMP(retrieved, fixture->secret_payload, fixture->payload_size);
+    teardown();
+}
+
 int main() {
     test_secret_exists_after_write();
     test_write_and_retrieve_secret();
@@ -561,6 +607,7 @@ int main() {
     test_exists_fails_when_kvstore_exists_fails();
     test_remove_with_invalid_key_fails();
     test_remove_fails_when_kvstore_remove_fails();
+    test_read_fails_wrong_type();
 
     return 0;
 }