diff --git a/components/protocomm/include/transports/protocomm_ble.h b/components/protocomm/include/transports/protocomm_ble.h
index 700dc2e3e3b..085767625ea 100644
--- a/components/protocomm/include/transports/protocomm_ble.h
+++ b/components/protocomm/include/transports/protocomm_ble.h
@@ -103,6 +103,11 @@ typedef struct protocomm_ble_config {
      */
     unsigned ble_sm_sc:1;
 
+    /**
+     * BLE security flag
+     */
+    unsigned ble_link_encryption:1;
+
 } protocomm_ble_config_t;
 
 /**
diff --git a/components/protocomm/src/transports/protocomm_ble.c b/components/protocomm/src/transports/protocomm_ble.c
index 2c903ffa832..90f18cc7c0d 100644
--- a/components/protocomm/src/transports/protocomm_ble.c
+++ b/components/protocomm/src/transports/protocomm_ble.c
@@ -63,6 +63,7 @@ typedef struct _protocomm_ble {
     ssize_t g_nu_lookup_count;
     uint16_t gatt_mtu;
     uint8_t *service_uuid;
+    unsigned ble_link_encryption:1;
 } _protocomm_ble_internal_t;
 
 static _protocomm_ble_internal_t *protoble_internal;
@@ -435,9 +436,9 @@ static ssize_t populate_gatt_db(esp_gatts_attr_db_t **gatt_db_generated)
         } else if (i % 3 == 2) {
             /* Characteristic Value */
             (*gatt_db_generated)[i].att_desc.perm         = ESP_GATT_PERM_READ | ESP_GATT_PERM_WRITE ;
-#if CONFIG_WIFI_PROV_BLE_FORCE_ENCRYPTION
-            (*gatt_db_generated)[i].att_desc.perm        |= ESP_GATT_PERM_READ_ENCRYPTED | ESP_GATT_PERM_WRITE_ENCRYPTED;
-#endif
+            if (protoble_internal->ble_link_encryption) {
+                (*gatt_db_generated)[i].att_desc.perm     |= ESP_GATT_PERM_READ_ENCRYPTED | ESP_GATT_PERM_WRITE_ENCRYPTED;
+            }
             (*gatt_db_generated)[i].att_desc.uuid_length  = ESP_UUID_LEN_128;
             (*gatt_db_generated)[i].att_desc.uuid_p       = protoble_internal->g_nu_lookup[i / 3].uuid128;
             (*gatt_db_generated)[i].att_desc.max_length   = CHAR_VAL_LEN_MAX;
@@ -538,6 +539,7 @@ esp_err_t protocomm_ble_start(protocomm_t *pc, const protocomm_ble_config_t *con
     pc->remove_endpoint = protocomm_ble_remove_endpoint;
     protoble_internal->pc_ble = pc;
     protoble_internal->gatt_mtu = ESP_GATT_DEF_BLE_MTU_SIZE;
+    protoble_internal->ble_link_encryption = config->ble_link_encryption;
 
     // Config adv data
     adv_config.service_uuid_len = ESP_UUID_LEN_128;
diff --git a/components/protocomm/src/transports/protocomm_nimble.c b/components/protocomm/src/transports/protocomm_nimble.c
index d8f9e2f91c7..d92b98a13b4 100644
--- a/components/protocomm/src/transports/protocomm_nimble.c
+++ b/components/protocomm/src/transports/protocomm_nimble.c
@@ -68,6 +68,7 @@ typedef struct _protocomm_ble {
     protocomm_ble_name_uuid_t *g_nu_lookup;
     ssize_t g_nu_lookup_count;
     uint16_t gatt_mtu;
+    unsigned ble_link_encryption:1;
 } _protocomm_ble_internal_t;
 
 static _protocomm_ble_internal_t *protoble_internal;
@@ -127,6 +128,8 @@ typedef struct {
     unsigned ble_bonding:1;
     /** BLE Secure Connection flag */
     unsigned ble_sm_sc:1;
+    /** BLE Link Encryption flag */
+    unsigned ble_link_encryption:1;
 } simple_ble_cfg_t;
 
 static simple_ble_cfg_t *ble_cfg_p;
@@ -665,10 +668,10 @@ ble_gatt_add_characteristics(struct ble_gatt_chr_def *characteristics, int idx)
     (characteristics + idx)->flags = BLE_GATT_CHR_F_READ |
                                      BLE_GATT_CHR_F_WRITE ;
 
-#if defined(CONFIG_WIFI_PROV_BLE_FORCE_ENCRYPTION)
-    (characteristics + idx)->flags |= BLE_GATT_CHR_F_READ_ENC |
-                                      BLE_GATT_CHR_F_WRITE_ENC;
-#endif
+    if (protoble_internal->ble_link_encryption) {
+        (characteristics + idx)->flags |= BLE_GATT_CHR_F_READ_ENC |
+                                        BLE_GATT_CHR_F_WRITE_ENC;
+    }
 
     (characteristics + idx)->access_cb = gatt_svr_chr_access;
 
@@ -921,6 +924,7 @@ esp_err_t protocomm_ble_start(protocomm_t *pc, const protocomm_ble_config_t *con
     pc->remove_endpoint = protocomm_ble_remove_endpoint;
     protoble_internal->pc_ble = pc;
     protoble_internal->gatt_mtu = BLE_ATT_MTU_DFLT;
+    protoble_internal->ble_link_encryption = config->ble_link_encryption;
 
     simple_ble_cfg_t *ble_config = (simple_ble_cfg_t *) calloc(1, sizeof(simple_ble_cfg_t));
     if (ble_config == NULL) {
diff --git a/components/wifi_provisioning/src/scheme_ble.c b/components/wifi_provisioning/src/scheme_ble.c
index 4714a774368..88e1724e08c 100644
--- a/components/wifi_provisioning/src/scheme_ble.c
+++ b/components/wifi_provisioning/src/scheme_ble.c
@@ -38,14 +38,17 @@ static esp_err_t prov_start(protocomm_t *pc, void *config)
 
     protocomm_ble_config_t *ble_config = (protocomm_ble_config_t *) config;
 
-    #if defined(CONFIG_WIFI_PROV_BLE_BONDING)
+#if defined(CONFIG_WIFI_PROV_BLE_BONDING)
    	ble_config->ble_bonding = 1;
-    #endif
+#endif
 
-    #if defined(CONFIG_WIFI_PROV_BLE_SEC_CONN) || defined(CONFIG_BT_BLUEDROID_ENABLED)
-        ble_config->ble_sm_sc = 1;
-    #endif
+#if defined(CONFIG_WIFI_PROV_BLE_SEC_CONN) || defined(CONFIG_BT_BLUEDROID_ENABLED)
+    ble_config->ble_sm_sc = 1;
+#endif
 
+#if defined(CONFIG_WIFI_PROV_BLE_FORCE_ENCRYPTION)
+    ble_config->ble_link_encryption = 1;
+#endif
     /* Start protocomm as BLE service */
     if (protocomm_ble_start(pc, ble_config) != ESP_OK) {
         ESP_LOGE(TAG, "Failed to start protocomm BLE service");