diff --git a/.gitignore b/.gitignore
index 64b5320d..7106203d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@
 .envrc
 .env
 .DS_Store
+.mise.toml
diff --git a/src/crypto/sealed.rs b/src/crypto/sealed.rs
index 22a85d03..48e9ba30 100644
--- a/src/crypto/sealed.rs
+++ b/src/crypto/sealed.rs
@@ -109,12 +109,13 @@ impl SealedTableEntry {
         }
 
         let decrypted = async_map_somes(decryptable_items, |items| cipher.decrypt(items)).await?;
-        let mut chunks_exact = decrypted.chunks_exact(protected_attributes.len());
         let mut default_iter =
             std::iter::repeat_with::<&[Option<Plaintext>], _>(|| &[]).take(plaintext_items.len());
 
+        let mut chunks_exact;
         let decrypted_iter: &mut dyn Iterator<Item = &[Option<Plaintext>]> =
             if protected_attributes.len() > 0 {
+                chunks_exact = decrypted.chunks_exact(protected_attributes.len());
                 &mut chunks_exact
             } else {
                 &mut default_iter
diff --git a/tests/query_tests.rs b/tests/query_tests.rs
index c314fa03..999da258 100644
--- a/tests/query_tests.rs
+++ b/tests/query_tests.rs
@@ -37,6 +37,36 @@ impl User {
     }
 }
 
+#[derive(
+    Identifiable, Encryptable, Decryptable, Searchable, Debug, PartialEq, Ord, PartialOrd, Eq,
+)]
+#[cipherstash(sort_key_prefix = "user")]
+pub struct PublicUser {
+    #[partition_key]
+    #[cipherstash(skip)]
+    pub email: String,
+
+    #[cipherstash(skip)]
+    pub name: String,
+
+    #[cipherstash(skip)]
+    pub tag: String,
+
+    #[cipherstash(skip)]
+    pub temp: bool,
+}
+
+impl PublicUser {
+    pub fn new(email: impl Into<String>, name: impl Into<String>, tag: impl Into<String>) -> Self {
+        Self {
+            name: name.into(),
+            email: email.into(),
+            tag: tag.into(),
+            temp: false,
+        }
+    }
+}
+
 async fn run_test<F: Future<Output = ()>>(mut f: impl FnMut(EncryptedTable) -> F) {
     let config = aws_config::from_env()
         .endpoint_url("http://localhost:8000")
@@ -193,3 +223,32 @@ async fn test_delete() {
     })
     .await;
 }
+
+#[tokio::test]
+#[serial]
+async fn test_insert_retrieve_public() {
+    let config = aws_config::from_env()
+        .endpoint_url("http://localhost:8000")
+        .load()
+        .await;
+
+    let client = aws_sdk_dynamodb::Client::new(&config);
+
+    let table_name = "test-public-users-pk";
+
+    common::create_table(&client, table_name).await;
+
+    let table = EncryptedTable::init(client, table_name)
+        .await
+        .expect("Failed to init table");
+
+    table
+        .put(PublicUser::new("dan@coderdan.co", "Dan Draper", "blue"))
+        .await
+        .expect("Failed to insert Dan");
+
+    table
+        .get::<PublicUser>("dan@coderdan.co")
+        .await
+        .expect("Failed to get Dan");
+}