diff --git a/meta-digi-arm/conf/machine/include/ccimx8x.inc b/meta-digi-arm/conf/machine/include/ccimx8x.inc
index 101097716..b4ee89c57 100644
--- a/meta-digi-arm/conf/machine/include/ccimx8x.inc
+++ b/meta-digi-arm/conf/machine/include/ccimx8x.inc
@@ -70,8 +70,6 @@ VIRTUAL-RUNTIME_initscripts ?= "initscripts"
 
 # TrustFence
 TRUSTFENCE_SIGN_MODE = "AHAB"
-# TODO: Encryption not yet supported
-TRUSTFENCE_DEK_PATH = "0"
 TRUSTFENCE_ENCRYPT_ENVIRONMENT = "0"
 
 # Adding 'wayland' along with 'x11' enables the xwayland backend
diff --git a/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend b/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend
index 5c794c7a4..1c01b9f4e 100644
--- a/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend
+++ b/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend
@@ -221,7 +221,12 @@ do_deploy_append () {
 					for target in ${IMXBOOT_TARGETS}; do
 						# Link to current "target" mkimage log
 						ln -sf mkimage-${target}.log mkimage.log
-						trustfence-sign-uboot.sh ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${rev}-${ramc}.bin-${target} ${DEPLOYDIR}/${UBOOT_PREFIX}-signed-${MACHINE}-${rev}-${ramc}.bin-${target}
+						if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
+							export ENABLE_ENCRYPTION=y
+							trustfence-sign-uboot.sh ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${rev}-${ramc}.bin-${target} ${DEPLOYDIR}/${UBOOT_PREFIX}-encrypted-${MACHINE}-${rev}-${ramc}.bin-${target}
+						else
+							trustfence-sign-uboot.sh ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${rev}-${ramc}.bin-${target} ${DEPLOYDIR}/${UBOOT_PREFIX}-signed-${MACHINE}-${rev}-${ramc}.bin-${target}
+						fi
 					done
 				done
 			done