diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild
index 6ffbf68aac..1e698db89e 100644
--- a/components/bootloader/Kconfig.projbuild
+++ b/components/bootloader/Kconfig.projbuild
@@ -1070,6 +1070,22 @@ menu "Security features"
                 DIS_DOWNLOAD_MANUAL_ENCRYPT, DIS_USB_JTAG, DIS_USB_SERIAL_JTAG, STRAP_JTAG_SEL, USB_PHY_SEL.
     endmenu  # Potentially Insecure
 
+    config SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART
+        bool "Encrypt only the app image that is present in the partition of type app"
+        depends on SECURE_FLASH_ENC_ENABLED && !SECURE_FLASH_REQUIRE_ALREADY_ENABLED
+        default y
+        help
+            If set (default), optimise encryption time for the partition of type APP,
+            by only encrypting the app image that is present in the partition,
+            instead of the whole partition.
+            The image length used for encryption is derived from the image metadata, which
+            includes the size of the app image, checksum, hash and also the signature sector
+            when secure boot is enabled.
+
+            If not set, the whole partition of type APP would be encrypted,
+            which increases the encryption time but might be useful if there
+            is any custom data appended to the firmware image.
+
     config SECURE_FLASH_CHECK_ENC_EN_IN_APP
         bool "Check Flash Encryption enabled on app startup"
         depends on SECURE_FLASH_ENC_ENABLED
diff --git a/components/bootloader_support/src/flash_encryption/flash_encrypt.c b/components/bootloader_support/src/flash_encryption/flash_encrypt.c
index 145fb23e6d..8bd1352b73 100644
--- a/components/bootloader_support/src/flash_encryption/flash_encrypt.c
+++ b/components/bootloader_support/src/flash_encryption/flash_encrypt.c
@@ -404,14 +404,21 @@ static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partit
 {
     esp_err_t err;
     bool should_encrypt = (partition->flags & PART_FLAG_ENCRYPTED);
+    uint32_t size = partition->pos.size;
 
     if (partition->type == PART_TYPE_APP) {
         /* check if the partition holds a valid unencrypted app */
-        esp_image_metadata_t data_ignored;
+        esp_image_metadata_t image_data = {};
         err = esp_image_verify(ESP_IMAGE_VERIFY,
                                &partition->pos,
-                               &data_ignored);
+                               &image_data);
         should_encrypt = (err == ESP_OK);
+#ifdef SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART
+        if (should_encrypt) {
+            // Encrypt only the app image instead of encrypting the whole partition
+            size = image_data.image_len;
+        }
+#endif
     } else if ((partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_OTA)
                 || (partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_NVS_KEYS)) {
         /* check if we have ota data partition and the partition should be encrypted unconditionally */
@@ -422,9 +429,9 @@ static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partit
         return ESP_OK;
     } else {
         /* should_encrypt */
-        ESP_LOGI(TAG, "Encrypting partition %d at offset 0x%x (length 0x%x)...", index, partition->pos.offset, partition->pos.size);
+        ESP_LOGI(TAG, "Encrypting partition %d at offset 0x%x (length 0x%x)...", index, partition->pos.offset, size);
 
-        err = esp_flash_encrypt_region(partition->pos.offset, partition->pos.size);
+        err = esp_flash_encrypt_region(partition->pos.offset, size);
         ESP_LOGI(TAG, "Done encrypting");
         if (err != ESP_OK) {
             ESP_LOGE(TAG, "Failed to encrypt partition %d", index);
diff --git a/docs/en/migration-guides/release-5.x/5.3/index.rst b/docs/en/migration-guides/release-5.x/5.3/index.rst
index eb01f88b11..c07bfca1c8 100644
--- a/docs/en/migration-guides/release-5.x/5.3/index.rst
+++ b/docs/en/migration-guides/release-5.x/5.3/index.rst
@@ -7,5 +7,6 @@ Migration from 5.2 to 5.3
     :maxdepth: 1
 
     peripherals
+    security
     storage
     system
diff --git a/docs/en/migration-guides/release-5.x/5.3/security.rst b/docs/en/migration-guides/release-5.x/5.3/security.rst
new file mode 100644
index 0000000000..fcb1143db5
--- /dev/null
+++ b/docs/en/migration-guides/release-5.x/5.3/security.rst
@@ -0,0 +1,14 @@
+Security
+========
+
+:link_to_translation:`zh_CN:[中文]`
+
+.. only:: SOC_FLASH_ENC_SUPPORTED
+
+    Platform security features
+    --------------------------
+
+    When flash encryption is enabled, encrypt only the app image that is present partition of type app, instead of encrypting the whole partition. This can help to optimize the encryption time required during the first boot.
+
+    This could be configured using the config ``CONFIG_SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART``, which is enabled by default from ESP-IDF v5.3
+    and is disabled for all earlier releases to avoid any breaking behaviour.
diff --git a/docs/zh_CN/migration-guides/release-5.x/5.3/index.rst b/docs/zh_CN/migration-guides/release-5.x/5.3/index.rst
index 50534a4be9..51af4fd001 100644
--- a/docs/zh_CN/migration-guides/release-5.x/5.3/index.rst
+++ b/docs/zh_CN/migration-guides/release-5.x/5.3/index.rst
@@ -7,5 +7,6 @@
     :maxdepth: 1
 
     peripherals
+    security
     storage
     system
diff --git a/docs/zh_CN/migration-guides/release-5.x/5.3/security.rst b/docs/zh_CN/migration-guides/release-5.x/5.3/security.rst
new file mode 100644
index 0000000000..2dd66a31bd
--- /dev/null
+++ b/docs/zh_CN/migration-guides/release-5.x/5.3/security.rst
@@ -0,0 +1 @@
+.. include:: ../../../../en/migration-guides/release-5.x/5.3/security.rst