diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild
index fdd30c9223..19e5108f85 100644
--- a/components/bootloader/Kconfig.projbuild
+++ b/components/bootloader/Kconfig.projbuild
@@ -1058,7 +1058,7 @@ menu "Security features"
     endmenu  # Potentially Insecure
 
     config SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART
-        bool "Encrypt only the app image that is present in the partition of type app"
+        bool "Encrypt contents upto app image length in app partition"
         depends on SECURE_FLASH_ENC_ENABLED && !SECURE_FLASH_REQUIRE_ALREADY_ENABLED
         default y
         help
diff --git a/components/bootloader_support/include/esp_secure_boot.h b/components/bootloader_support/include/esp_secure_boot.h
index 99b2fbd45e..aa1d738a9f 100644
--- a/components/bootloader_support/include/esp_secure_boot.h
+++ b/components/bootloader_support/include/esp_secure_boot.h
@@ -225,6 +225,23 @@ typedef struct {
     uint8_t signature[64];
 } esp_secure_boot_sig_block_t;
 
+/** @brief Get the size of the secure boot signature block
+ *
+ * This is the size of the signature block appended to a signed image.
+ *
+ * @return Size of the secure boot signature block in bytes
+ */
+static inline uint32_t esp_secure_boot_sig_block_size()
+{
+#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
+    return sizeof(ets_secure_boot_signature_t);
+#elif defined(CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME)
+    return sizeof(esp_secure_boot_sig_block_t);
+#else
+    return 0;
+#endif
+}
+
 /** @brief Verify the ECDSA secure boot signature block for Secure Boot V1.
  *
  *  Calculates Deterministic ECDSA w/ SHA256 based on the SHA256 hash of the image. ECDSA signature
diff --git a/components/bootloader_support/src/flash_encryption/flash_encrypt.c b/components/bootloader_support/src/flash_encryption/flash_encrypt.c
index 3b6acf0048..6d3ca7bc8c 100644
--- a/components/bootloader_support/src/flash_encryption/flash_encrypt.c
+++ b/components/bootloader_support/src/flash_encryption/flash_encrypt.c
@@ -428,6 +428,10 @@ static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partit
         if (partition->type == PART_TYPE_APP && should_encrypt) {
             // Encrypt only the app image instead of encrypting the whole partition
             size = image_data.image_len;
+#if CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
+            // If secure update without secure boot, also encrypt the signature block
+            size += esp_secure_boot_sig_block_size();
+#endif
         }
 #endif
     } else if (partition->type == PART_TYPE_PARTITION_TABLE) {
diff --git a/tools/test_apps/security/signed_app_no_secure_boot/pytest_signed_app_no_secure_boot.py b/tools/test_apps/security/signed_app_no_secure_boot/pytest_signed_app_no_secure_boot.py
index 9a73e10e26..dedbc9b8da 100644
--- a/tools/test_apps/security/signed_app_no_secure_boot/pytest_signed_app_no_secure_boot.py
+++ b/tools/test_apps/security/signed_app_no_secure_boot/pytest_signed_app_no_secure_boot.py
@@ -1,5 +1,6 @@
 # SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
 # SPDX-License-Identifier: Unlicense OR CC0-1.0
+
 import pytest
 from pytest_embedded import Dut
 from pytest_embedded_idf.utils import idf_parametrize
@@ -9,6 +10,14 @@ from pytest_embedded_idf.utils import idf_parametrize
 @idf_parametrize('target', ['esp32c2', 'esp32c3'], indirect=['target'])
 def test_examples_security_on_update_no_secure_boot(dut: Dut) -> None:
     dut.expect(
-        "This app is not signed, but check signature on update is enabled in config. It won't be possible to verify any update.",
+        "This app is not signed, but check signature on update is enabled in config. It won't be possible to verify any update.",  # noqa : E501
         timeout=10,
     )
+
+
+@pytest.mark.host_test
+@pytest.mark.qemu
+@pytest.mark.parametrize('config', ['secure_update_with_fe'], indirect=True)
+@idf_parametrize('target', ['esp32c3'], indirect=['target'])
+def test_examples_secure_update_with_fe_qemu(dut: Dut) -> None:
+    dut.expect('Example for secured signed with no secure boot', timeout=60)
diff --git a/tools/test_apps/security/signed_app_no_secure_boot/sdkconfig.ci.secure_update_with_fe b/tools/test_apps/security/signed_app_no_secure_boot/sdkconfig.ci.secure_update_with_fe
new file mode 100644
index 0000000000..8bddc8f2eb
--- /dev/null
+++ b/tools/test_apps/security/signed_app_no_secure_boot/sdkconfig.ci.secure_update_with_fe
@@ -0,0 +1,4 @@
+CONFIG_SECURE_FLASH_ENC_ENABLED=y
+CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
+CONFIG_PARTITION_TABLE_OFFSET=0xc000
+CONFIG_NVS_ENCRYPTION=n
diff --git a/tools/test_apps/security/signed_app_no_secure_boot/secure_boot_signing_key.pem b/tools/test_apps/security/signed_app_no_secure_boot/secure_boot_signing_key.pem
new file mode 100644
index 0000000000..b69b91c5c3
--- /dev/null
+++ b/tools/test_apps/security/signed_app_no_secure_boot/secure_boot_signing_key.pem
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5AIBAAKCAYEA5sRBdVlob0RWwRsBYrGrMmdhIbam45boFbD/1skxb7lRhJjE
+pStZ5DVhtQWVAsqTKkY/QH0zzRBBSfdnsneBAc3yFBTBrMPBQitOvg2UK5rx3jJ2
+dD3hpFG5QZPzmB48ZBmsnmMILLgSMwraAPwkbA4qU2TAeCkAE5WVH3w2m1n95sze
+gbxZamLbaPj5DedT5yqIjWK4NecTlr7VXFTXWzzAfb+hQtzBN1RmemvbhCgSksAS
+4huoLAZ6iwpEyuACj4pNmFMyQJQ4PPr54mUkL+btMSTbkOZdMbIrXR/FePvFU/Ug
+zu9u3QvGm/u2tmpp2Lo/hDgJOhcS4bQjLk7R6Ynq+pi6zQuqpRSCoMEuSzth+yQr
+rMCox8lvHgALpc/G8ZbI1bZN0UybmqBBQ5p5FVf9xfNwnt/tuyFV4QDjaRrCcJ1y
+FTrMG/+aSM8de4TuxWC3dImfCrVQf/ncB+Y5rL+h3lo9Viozd+bBy79jACjpkwbY
+o9GINr26F3GcK/ShAgMBAAECggGADvNsIkQ2pe7RiBVN060bIFreSibhTSF7y9v5
+11qVn11sUKDtLJ5QZp6mw+mmq9WgDz8Z3f2+m2yQLlCfIUroyssjAfYOTjkojjbs
+FRggH2scfH7cec+AjPrWe88wGwzqcLnRGznjT7JlS3VKhoHPgkiwqVJ/vck6PgqU
+7MNJbms4Lfnb+J/RUzkwae6nhCUWpIV272IT+ToNZNjcTe0ZPsoC1qLRudk/k2we
+b5QJVtiZy3QyRP/xt1h8HAIATvyQTmcdubE3cC0waEINI1jJdGJwJQ66LPJpx5ov
+s+ldjDdkJi/E8fNrnrn/WIWKwAXctg8VaIHj++WVJ0f9hmZ/bBNRJbFh4LpVKRY5
+oU1XCC9b2edbQbhWLsG19E0XJ+c5i8UY8uIH6DC9QCK28I/eYxA1RoDUt1st06CW
+hZT3INFqQ+1mbbff3pm0+kDNxne/PhR7bNApzF/3Fa33v9d0iEfKviEUhCtM4rzD
+SVMGTGOAXuAS5RCBAYzTEPrp8UCBAoHBAPluD2o33eEQ5MOm9WoTYLFKKLS/l91B
+wHmwY9m53YiMBxLgYrJ9oQOTEApAY5B4G1BxidvhehAMd51iK03W/YkZhy3ZhUTJ
+DC29upFPCsS1On1kUC9doyuSgILt3zLZVW98RX6PM7LCLR+jSJPYJQ13xlBRe2Dc
+pHpkr0vwtUR35D1EKV2cXFJZLDzj1xAIFNqiv6591J7xzehzBEyP56lar/oeqsvv
+w7SWsU4rF6E8Os3gvlTRV5QgnBZEUTTZaQKBwQDs2Fio7NYofSQeI5Q+FPDiV4U1
+rkOZzXJFsf6dQl3GaqgXmuJsfYbRDcAvSBcfo6RFu+ZHEa0U9yEQKK4OSeXTrD8U
+0wLCfVmlzQf/l0Iutxv1qGTkB0NnZ7nKCSmdoGErXWTVdz4pHPmU6nUNZ3ih02oP
+2nA6CjVtsJVUGWwi6k8bX2mRvLpmjjfJP82EmRXbkKh4xseddWd7Xf/G9hJcXaXt
+piE8dmyBQP1u2WluffDT1VNGt3k5O8TIvqlfYnkCgcEA66MfKvB2S35jL7bV2A1Q
+ZoyxoffyZxML26pY2kKt16a5tAqJEyh96VuQZq7noH7nBvsMCs6bOvgcNHGeiV3W
+jSOxwg3hydbJC5lW3Jm4iZbQF8+htO2YDbzMbWR9XJNXFAhpuqNcar7oVCA0m38x
+meSSVCR2E06+j+X4eRyAkptU4tA25/mkeiNGGIwCC2InGVlxDk5PhIzZQoUOBapZ
+Z3OGFhvMrPbogv1tqXQqUacNwptUE9rlCso3yw1lTjEpAoHBAJ2CQ3QUDVhf4OUq
+RCwFQS1FhxFsEwj12EkBVpK+0B5kT+Vi27HKyR2+R1EqYDZqXZUCoOIinziSISrd
+4uMdwfpDUrBGpE8zjar175vKu/jVTYLRukbrjaf3E1eJQGPThMuSELzl0DEHU/P0
++GMxrMfyEVb5rijrIR0Rkj2bqo6NxI4vpcWF/XC2o+Lyy3qjVCXwzhmEGLxel7Mz
+kCaA/zTuEqs5EGFlYEOVNPXDIJqaps450Gf3HGczmGroYTtOAQKBwCzmQn+pONYM
+zg8FGbRafACNucw4vuiVgMvWtREgZuGFyQ9UKiaPLjvQl6xR/1jZXA0nD8ApjZwK
+KOoKgzZD1XfiGjpuA6Ift2UuPDdq4NnI8orPfFCZRXmqBFzpByFx7XZLtKEtYm5w
+r4WHCqQMLSYufS77FClcuWOfyx08iaqONLNQLLps1HJ0ydCPWKObhL+iKlzapEMh
+6aAMN/0YR2Fw3+5Cz4Zsn+pe/N6/rqoCVMxS5vsgbmIAZ6537ENMwA==
+-----END RSA PRIVATE KEY-----