diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index b3357c26b..d756b75cb 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -3188,6 +3188,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
 		kay->macsec_capable = MACSEC_CAP_NOT_IMPLEMENTED;
 		kay->macsec_desired = FALSE;
 		kay->macsec_protect = FALSE;
+		kay->macsec_encrypt = FALSE;
 		kay->macsec_validate = Disabled;
 		kay->macsec_replay_protect = FALSE;
 		kay->macsec_replay_window = 0;
@@ -3195,14 +3196,17 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
 	} else {
 		kay->macsec_desired = TRUE;
 		kay->macsec_protect = TRUE;
-		kay->macsec_encrypt = policy == SHOULD_ENCRYPT;
+		if (kay->macsec_capable >= MACSEC_CAP_INTEG_AND_CONF &&
+		    policy == SHOULD_ENCRYPT) {
+			kay->macsec_encrypt = TRUE;
+			kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
+		} else { /* SHOULD_SECURE */
+			kay->macsec_encrypt = FALSE;
+			kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
+		}
 		kay->macsec_validate = Strict;
 		kay->macsec_replay_protect = FALSE;
 		kay->macsec_replay_window = 0;
-		if (kay->macsec_capable >= MACSEC_CAP_INTEG_AND_CONF)
-			kay->macsec_confidentiality = CONFIDENTIALITY_OFFSET_0;
-		else
-			kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
 	}
 
 	wpa_printf(MSG_DEBUG, "KaY: state machine created");