diff --git a/airoha/image/iopsys-secure-boot.mk b/airoha/image/iopsys-secure-boot.mk
index 2333410421ea2d94d4efe15266640939a453d360..827e0f60f3d2dc7f91a1884eb5a58f3515ee4957 100644
--- a/airoha/image/iopsys-secure-boot.mk
+++ b/airoha/image/iopsys-secure-boot.mk
@@ -5,8 +5,9 @@ SECURE_BOOT_ROTPK_KEY_SIZE ?= 4096
 SECURE_BOOT_ROTPK_HASH_ALG ?= sha512
 SECURE_BOOT_ROTPK ?= $(SECURE_BOOT_KEY_DIR)/rot_key_$(SECURE_BOOT_ROTPK_KEY_SIZE).pem
 
-SECURE_BOOT_ENC_ALG ?= aes256
-SECURE_BOOT_ENC_KEY ?= $(SECURE_BOOT_KEY_DIR)/aes_$(SECURE_BOOT_ENC_ALG)
+SECURE_BOOT_ENCRYPT ?= y
+SECURE_BOOT_ENCRYPT_ALG ?= aes256
+SECURE_BOOT_ENCRYPT_KEY ?= $(SECURE_BOOT_KEY_DIR)/aes_$(SECURE_BOOT_ENCRYPT_ALG)
 
 # Temporary paths
 WORK_PATH := $(STAGING_DIR_IMAGE)/nand-image
@@ -14,11 +15,45 @@ CERT_PATH := $(WORK_PATH)-cert
 
 UBOOT_VERSION_ID := 938f0820-2ffb-11e7-bbc9-2f21351ee6fb
 
+# Call ENC_AES_KEY or ENC_AES_IV to get accordingly 32-byte (256-bit) symmetric key
+# and 12-byte (96-bit) initialization vector (IV).
+# Do not use makefile's shell command to prevent print the values in the console.
+ifneq ($(SECURE_BOOT_ENCRYPT_KEY),"")
+define ENC_AES_KEY
+	`grep -E 'key *=' $(SECURE_BOOT_ENCRYPT_KEY) | cut -d= -f2`
+endef
+
+define ENC_AES_IV
+	`grep -E 'iv *=' $(SECURE_BOOT_ENCRYPT_KEY) | cut -d= -f2`
+endef
+else # SECURE_BOOT_ENCRYPT_KEY
+$(error Error: Path to encryption key not defined! Double check SECURE_BOOT_ENCRYPT_KEY value)
+endif # SECURE_BOOT_ENCRYPT_KEY
+
+# Invokes encrypt_fw to encrypt firmware binary
+#   $(1) = BL stage (1, 2, 2u, 31, 32)
+define iopsys-encrypt-fw
+	$(STAGING_DIR_HOST)/bin/encrypt_fw                       \
+		-f 0                                                 \
+		-k $(call ENC_AES_KEY)                               \
+		-n $(call ENC_AES_IV)                                \
+		-i $(STAGING_DIR_IMAGE)/$(TCPLATFORM)-bl$(1).bin     \
+		-o $(STAGING_DIR_IMAGE)/$(TCPLATFORM)-bl$(1)_enc.bin
+
+	$(STAGING_DIR_HOST)/bin/lzma e \
+		$(STAGING_DIR_IMAGE)/$(TCPLATFORM)-bl$(1)_enc.bin \
+		$(STAGING_DIR_IMAGE)/$(TCPLATFORM)-bl$(1)_enc.lzma
+
+	$(eval ENC_BL$(1) := _enc)
+endef
+
 define iopsys-precheck-secure-boot
+	@echo Secure Boot: Sanity precheck
 	$(if $(SECURE_BOOT_ENABLE),
 		$(if $(SECURE_BOOT_KEY_DIR),,$(error Secure boot key dir not specified!))
 		$(if $(wildcard $(SECURE_BOOT_ROTPK)),,$(error Cannot find Root Of Trust Pre-shared Key in key dir!))
-		$(if $(wildcard $(SECURE_BOOT_ENC_KEY)),,$(error Cannot find encryption key in key dir!)),)
+		$(if $(SECURE_BOOT_ENCRYPT),
+			$(if $(wildcard $(SECURE_BOOT_ENCRYPT_KEY)),,$(error Cannot find encryption key in key dir!))))
 endef
 
 # $(1) build prefix
@@ -34,6 +69,12 @@ define iopsys-prepare-secure-boot
 		cp -pv $(SECURE_BOOT_ROTPK) $(CERT_PATH)-$(notdir $(1))/ROTkey; \
 	fi
 
+# Encrypt firmware binary
+
+	$(if $(and $(SECURE_BOOT_ENABLE),$(SECURE_BOOT_ENCRYPT)),
+		$(call iopsys-encrypt-fw,2)
+		$(call iopsys-encrypt-fw,31))
+
 # This is lzma/config dependent
 	$(STAGING_DIR_HOST)/bin/lzma e \
 		$(2) \
@@ -58,8 +99,8 @@ define iopsys-prepare-secure-boot
 		--soc-fw-key-cert               $(CERT_PATH)-$(notdir $(1))/soc_fw_key.crt         \
 		--nt-fw-cert                    $(CERT_PATH)-$(notdir $(1))/nt_fw_content.crt      \
 		--nt-fw-key-cert                $(CERT_PATH)-$(notdir $(1))/nt_fw_key.crt          \
-		--tb-fw                         $(STAGING_DIR_IMAGE)/$(TCPLATFORM)-bl2.bin         \
-		--soc-fw                        $(STAGING_DIR_IMAGE)/$(TCPLATFORM)-bl31.lzma       \
+		--tb-fw                         $(STAGING_DIR_IMAGE)/$(TCPLATFORM)-bl2$(ENC_BL2).bin    \
+		--soc-fw                        $(STAGING_DIR_IMAGE)/$(TCPLATFORM)-bl31$(ENC_BL31).lzma \
 		--nt-fw                         $(WORK_PATH)-$(notdir $(1))/u-boot-ram.lzma
 
 # This is mostly generic (depends on which fiptool is used though)
@@ -71,8 +112,8 @@ define iopsys-prepare-secure-boot
 		--nt-fw-cert            $(CERT_PATH)-$(notdir $(1))/nt_fw_content.crt              \
 		--nt-fw-key-cert        $(CERT_PATH)-$(notdir $(1))/nt_fw_key.crt                  \
 		--align 1024                                                                       \
-		--tb-fw                 $(STAGING_DIR_IMAGE)/$(TCPLATFORM)-bl2.bin                 \
-		--soc-fw                $(STAGING_DIR_IMAGE)/$(TCPLATFORM)-bl31.lzma               \
+		--tb-fw                 $(STAGING_DIR_IMAGE)/$(TCPLATFORM)-bl2$(ENC_BL2).bin       \
+		--soc-fw                $(STAGING_DIR_IMAGE)/$(TCPLATFORM)-bl31$(ENC_BL31).lzma    \
 		--nt-fw                 $(WORK_PATH)-$(notdir $(1))/u-boot-ram.lzma                \
 		$(WORK_PATH)-$(notdir $(1))/preloader.bin
 
@@ -130,9 +171,9 @@ define Build/generate-rotpk-fuse
 	$(STAGING_DIR_IMAGE)/$(TCPLATFORM)-ecnt_efuse \
 		-s $(SECURE_BOOT_ROTPK_HASH_ALG) \
 		-r $(CERT_PATH)/rotpk_$(SECURE_BOOT_ROTPK_KEY_SIZE)_$(SECURE_BOOT_ROTPK_HASH_ALG).bin \
-		-a $(SECURE_BOOT_ENC_ALG) \
-		-k $$(grep -E '^key *=[A-F0-9]+$$$$' $(SECURE_BOOT_ENC_KEY) | sed -e 's/^key *=//') \
-		-o $(CERT_PATH)/ecntefuse_$(SECURE_BOOT_ROTPK_KEY_SIZE)_$(SECURE_BOOT_ROTPK_HASH_ALG)_$(SECURE_BOOT_ENC_ALG).bin
+		-a $(SECURE_BOOT_ENCRYPT_ALG) \
+		-k $(call ENC_AES_KEY) \
+		-o $(CERT_PATH)/ecntefuse_$(SECURE_BOOT_ROTPK_KEY_SIZE)_$(SECURE_BOOT_ROTPK_HASH_ALG)_$(SECURE_BOOT_ENCRYPT_ALG).bin
 
 	cp -rpT $(CERT_PATH) $(STAGING_DIR_IMAGE)/$$(UBOOT_TARGET)-secure_boot_keys_certs
 	rm -rf $(CERT_PATH)