diff --git a/components/efuse/src/efuse_controller/keys/with_key_purposes/esp_efuse_api_key.c b/components/efuse/src/efuse_controller/keys/with_key_purposes/esp_efuse_api_key.c
index 179966e7fd..0d48b1fd4e 100644
--- a/components/efuse/src/efuse_controller/keys/with_key_purposes/esp_efuse_api_key.c
+++ b/components/efuse/src/efuse_controller/keys/with_key_purposes/esp_efuse_api_key.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -315,6 +315,12 @@ esp_err_t esp_efuse_write_key(esp_efuse_block_t block, esp_efuse_purpose_t purpo
             purpose == ESP_EFUSE_KEY_PURPOSE_HMAC_UP) {
             ESP_EFUSE_CHK(esp_efuse_set_key_dis_read(block));
         }
+#if SOC_EFUSE_ECDSA_USE_HARDWARE_K
+        if (purpose == ESP_EFUSE_KEY_PURPOSE_ECDSA_KEY) {
+            // Permanently enable the hardware TRNG supplied k mode (most secure mode)
+            ESP_EFUSE_CHK(esp_efuse_write_field_bit(ESP_EFUSE_ECDSA_FORCE_USE_HARDWARE_K));
+        }
+#endif
         ESP_EFUSE_CHK(esp_efuse_set_key_purpose(block, purpose));
         ESP_EFUSE_CHK(esp_efuse_set_keypurpose_dis_write(block));
         return esp_efuse_batch_write_commit();
diff --git a/components/esp_system/startup.c b/components/esp_system/startup.c
index 3a96492503..51c4561d7e 100644
--- a/components/esp_system/startup.c
+++ b/components/esp_system/startup.c
@@ -27,6 +27,7 @@
 #include "esp_newlib.h"
 #include "esp_timer.h"
 #include "esp_efuse.h"
+#include "esp_efuse_table.h"
 #include "esp_flash_encrypt.h"
 #include "esp_secure_boot.h"
 #include "esp_xt_wdt.h"
@@ -348,6 +349,15 @@ static void do_core_init(void)
     esp_secure_boot_init_checks();
 #endif
 
+#if SOC_EFUSE_ECDSA_USE_HARDWARE_K
+    if (esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_ECDSA_KEY, NULL)) {
+        // ECDSA key purpose block is present and hence permanently enable
+        // the hardware TRNG supplied k mode (most secure mode)
+        err = esp_efuse_write_field_bit(ESP_EFUSE_ECDSA_FORCE_USE_HARDWARE_K);
+        assert(err == ESP_OK && "Failed to enable ECDSA hardware k mode");
+    }
+#endif
+
 #if CONFIG_SECURE_DISABLE_ROM_DL_MODE
     err = esp_efuse_disable_rom_download_mode();
     assert(err == ESP_OK && "Failed to disable ROM download mode");
diff --git a/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in
index 1cde3e559f..79d8a0c6b0 100644
--- a/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in
+++ b/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in
@@ -1079,6 +1079,10 @@ config SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK
     bool
     default y
 
+config SOC_EFUSE_ECDSA_USE_HARDWARE_K
+    bool
+    default y
+
 config SOC_SECURE_BOOT_V2_RSA
     bool
     default y
diff --git a/components/soc/esp32h2/include/soc/soc_caps.h b/components/soc/esp32h2/include/soc/soc_caps.h
index cd260fbb24..0cbb73fbad 100644
--- a/components/soc/esp32h2/include/soc/soc_caps.h
+++ b/components/soc/esp32h2/include/soc/soc_caps.h
@@ -441,6 +441,7 @@
 #define SOC_EFUSE_SOFT_DIS_JTAG 1
 #define SOC_EFUSE_DIS_ICACHE 1
 #define SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK 1  // XTS-AES and ECDSA key purposes not supported for this block
+#define SOC_EFUSE_ECDSA_USE_HARDWARE_K 1 // Force use hardware TRNG supplied K for ECDSA
 
 /*-------------------------- Secure Boot CAPS----------------------------*/
 #define SOC_SECURE_BOOT_V2_RSA              1