diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild
index a2c2df644..df25d75bc 100644
--- a/components/bootloader/Kconfig.projbuild
+++ b/components/bootloader/Kconfig.projbuild
@@ -515,6 +515,20 @@ menu "Security features"
 
                 Only set this option in testing environments.
 
+        config SECURE_FLASH_REQUIRE_ALREADY_ENABLED
+            bool "Require flash encryption to be already enabled"
+            depends on SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
+            default N
+            help
+                If not set (default), and flash encryption is not yet enabled in eFuses, the 2nd stage bootloader
+                will enable flash encryption: generate the flash encryption key and program eFuses.
+                If this option is set, and flash encryption is not yet enabled, the bootloader will error out and
+                reboot.
+                If flash encryption is enabled in eFuses, this option does not change the bootloader behavior.
+
+                Only use this option in testing environments, to avoid accidentally enabling flash encryption on
+                the wrong device. The device needs to have flash encryption already enabled using espefuse.py.
+
     endmenu  # Potentially Insecure
 endmenu  # Security features
 
diff --git a/components/bootloader_support/src/esp32/flash_encrypt.c b/components/bootloader_support/src/esp32/flash_encrypt.c
index 7b816e292..c8bb9cce3 100644
--- a/components/bootloader_support/src/esp32/flash_encrypt.c
+++ b/components/bootloader_support/src/esp32/flash_encrypt.c
@@ -37,7 +37,7 @@ static const char *TAG = "flash_encrypt";
 
 /* Static functions for stages of flash encryption */
 static esp_err_t initialise_flash_encryption(void);
-static esp_err_t encrypt_flash_contents(uint32_t flash_crypt_cnt, bool flash_crypt_wr_dis);
+static esp_err_t encrypt_flash_contents(uint32_t flash_crypt_cnt, bool flash_crypt_wr_dis) __attribute__((unused));
 static esp_err_t encrypt_bootloader();
 static esp_err_t encrypt_and_load_partition_table(esp_partition_info_t *partition_table, int *num_partitions);
 static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partition);
@@ -60,8 +60,14 @@ esp_err_t esp_flash_encrypt_check_and_update(void)
         return ESP_OK;
     }
     else {
+#ifndef CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED
         /* Flash is not encrypted, so encrypt it! */
         return encrypt_flash_contents(flash_crypt_cnt, flash_crypt_wr_dis);
+#else
+        ESP_LOGE(TAG, "flash encryption is not enabled, and SECURE_FLASH_REQUIRE_ALREADY_ENABLED "
+                      "is set, refusing to boot.");
+        return ESP_ERR_INVALID_STATE;
+#endif // CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED
     }
 }