diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild
index b0dc4881bb..aa09d41d1c 100644
--- a/components/bootloader/Kconfig.projbuild
+++ b/components/bootloader/Kconfig.projbuild
@@ -320,6 +320,11 @@ menu "Security features"
         select MBEDTLS_ECDSA_C
         depends on SECURE_SIGNED_ON_BOOT || SECURE_SIGNED_ON_UPDATE
 
+    config SECURE_TARGET_HAS_SECURE_ROM_DL_MODE
+        bool
+        default y
+        depends on IDF_TARGET_ESP32S2
+
 
     config SECURE_SIGNED_APPS_NO_SECURE_BOOT
         bool "Require signed app images"
@@ -587,7 +592,7 @@ menu "Security features"
 
         config SECURE_FLASH_ENCRYPTION_MODE_RELEASE
             bool "Release"
-            select SECURE_ENABLE_SECURE_ROM_DL_MODE
+            select SECURE_ENABLE_SECURE_ROM_DL_MODE if SECURE_TARGET_HAS_SECURE_ROM_DL_MODE
 
     endchoice
 
@@ -719,7 +724,7 @@ menu "Security features"
 
     config SECURE_ENABLE_SECURE_ROM_DL_MODE
         bool "Permanently switch to ROM UART Secure Download mode"
-        depends on IDF_TARGET_ESP32S2 && !SECURE_DISABLE_ROM_DL_MODE
+        depends on SECURE_TARGET_HAS_SECURE_ROM_DL_MODE && !SECURE_DISABLE_ROM_DL_MODE
         help
             If set, during startup the app will burn an eFuse bit to permanently switch the UART ROM
             Download Mode into a separate Secure Download mode. This option can only work if
diff --git a/components/esp_system/startup.c b/components/esp_system/startup.c
index 05d74b6470..d1c8f06c18 100644
--- a/components/esp_system/startup.c
+++ b/components/esp_system/startup.c
@@ -229,6 +229,8 @@ static void IRAM_ATTR do_core_init(void)
     esp_flash_encryption_init_checks();
 #endif
 
+    esp_err_t err;
+
 #if CONFIG_SECURE_DISABLE_ROM_DL_MODE
     err = esp_efuse_disable_rom_download_mode();
     assert(err == ESP_OK && "Failed to disable ROM download mode");
@@ -243,8 +245,6 @@ static void IRAM_ATTR do_core_init(void)
     esp_efuse_disable_basic_rom_console();
 #endif
 
-    esp_err_t err;
-
     esp_timer_init();
     esp_set_time_from_rtc();
 
diff --git a/tools/test_apps/system/build_test/sdkconfig.ci.flash_encryption_release b/tools/test_apps/system/build_test/sdkconfig.ci.flash_encryption_release
new file mode 100644
index 0000000000..47e4a657c6
--- /dev/null
+++ b/tools/test_apps/system/build_test/sdkconfig.ci.flash_encryption_release
@@ -0,0 +1,2 @@
+CONFIG_SECURE_FLASH_ENC_ENABLED=y
+CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y