diff --git a/share/sysbuild/image_configurations/MAIN_image_default.cmake b/share/sysbuild/image_configurations/MAIN_image_default.cmake
index a6bd72d7d1a..a2ae840ef97 100644
--- a/share/sysbuild/image_configurations/MAIN_image_default.cmake
+++ b/share/sysbuild/image_configurations/MAIN_image_default.cmake
@@ -9,6 +9,9 @@ set_config_bool(${ZCMAKE_APPLICATION} CONFIG_BOOTLOADER_MCUBOOT "${SB_CONFIG_BOO
 set_config_string(${ZCMAKE_APPLICATION} CONFIG_MCUBOOT_SIGNATURE_KEY_FILE
                   "${SB_CONFIG_BOOT_SIGNATURE_KEY_FILE}"
 )
+set_config_string(${ZCMAKE_APPLICATION} CONFIG_MCUBOOT_ENCRYPTION_KEY_FILE
+                  "${SB_CONFIG_BOOT_ENCRYPTION_KEY_FILE}"
+)
 
 if(SB_CONFIG_BOOTLOADER_MCUBOOT)
   if("${SB_CONFIG_SIGNATURE_TYPE}" STREQUAL "NONE")
diff --git a/share/sysbuild/images/bootloader/CMakeLists.txt b/share/sysbuild/images/bootloader/CMakeLists.txt
index c00a8e97783..2a0f12f958d 100644
--- a/share/sysbuild/images/bootloader/CMakeLists.txt
+++ b/share/sysbuild/images/bootloader/CMakeLists.txt
@@ -15,4 +15,8 @@ if(SB_CONFIG_BOOTLOADER_MCUBOOT)
   sysbuild_add_dependencies(FLASH ${DEFAULT_IMAGE} ${image})
 
   set_config_string(${image} CONFIG_BOOT_SIGNATURE_KEY_FILE "${SB_CONFIG_BOOT_SIGNATURE_KEY_FILE}")
+  set_config_bool(${image} CONFIG_BOOT_ENCRYPT_IMAGE "${SB_CONFIG_BOOT_ENCRYPTION}")
+  if(SB_CONFIG_BOOT_ENCRYPTION)
+    set_config_string(${image} CONFIG_BOOT_ENCRYPTION_KEY_FILE "${SB_CONFIG_BOOT_ENCRYPTION_KEY_FILE}")
+  endif()
 endif()
diff --git a/share/sysbuild/images/bootloader/Kconfig b/share/sysbuild/images/bootloader/Kconfig
index 19924a6ca18..e8c788f72c5 100644
--- a/share/sysbuild/images/bootloader/Kconfig
+++ b/share/sysbuild/images/bootloader/Kconfig
@@ -56,12 +56,28 @@ config BOOT_SIGNATURE_TYPE_ED25519
 endchoice
 
 config BOOT_SIGNATURE_KEY_FILE
-	string "PEM key file"
+	string "Signing PEM key file"
 	default "$(ZEPHYR_MCUBOOT_MODULE_DIR)/root-ec-p256.pem" if BOOT_SIGNATURE_TYPE_ECDSA_P256
 	default "$(ZEPHYR_MCUBOOT_MODULE_DIR)/root-ed25519.pem" if BOOT_SIGNATURE_TYPE_ED25519
 	default "$(ZEPHYR_MCUBOOT_MODULE_DIR)/root-rsa-2048.pem" if BOOT_SIGNATURE_TYPE_RSA
 	default ""
 	help
-	  Absolute path to key file to use with MCUBoot.
+	  Absolute path to signing key file to use with MCUBoot.
+
+config BOOT_ENCRYPTION
+	bool "Encrypted image support"
+	depends on !BOOT_SIGNATURE_TYPE_NONE
+	help
+	  Support encrypted images.
+
+config BOOT_ENCRYPTION_KEY_FILE
+	string "Encryption PEM key file"
+	depends on BOOT_ENCRYPTION
+	default "$(ZEPHYR_MCUBOOT_MODULE_DIR)/enc-ec256-priv.pem" if BOOT_SIGNATURE_TYPE_ECDSA_P256
+	default "$(ZEPHYR_MCUBOOT_MODULE_DIR)/enc-x25519-priv.pem" if BOOT_SIGNATURE_TYPE_ED25519
+	default "$(ZEPHYR_MCUBOOT_MODULE_DIR)/enc-rsa2048-priv.pem" if BOOT_SIGNATURE_TYPE_RSA
+	default ""
+	help
+	  Absolute path to encryption key file to use with MCUBoot.
 
 endif