diff --git a/components/bootloader_support/src/flash_encrypt.c b/components/bootloader_support/src/flash_encrypt.c
index 8b9ca60cd1..f4fd7e783d 100644
--- a/components/bootloader_support/src/flash_encrypt.c
+++ b/components/bootloader_support/src/flash_encrypt.c
@@ -78,19 +78,12 @@ static esp_err_t initialise_flash_encryption(void)
         && REG_READ(EFUSE_BLK1_RDATA5_REG) == 0
         && REG_READ(EFUSE_BLK1_RDATA6_REG) == 0
         && REG_READ(EFUSE_BLK1_RDATA7_REG) == 0) {
-        ESP_LOGI(TAG, "Generating new flash encryption key...");
-        uint32_t buf[8];
-        bootloader_fill_random(buf, sizeof(buf));
-        for (int i = 0; i < 8; i++) {
-            ESP_LOGV(TAG, "EFUSE_BLK1_WDATA%d_REG = 0x%08x", i, buf[i]);
-            REG_WRITE(EFUSE_BLK1_WDATA0_REG + 4*i, buf[i]);
-        }
-        bzero(buf, sizeof(buf));
-        esp_efuse_burn_new_values();
 
-        ESP_LOGI(TAG, "Read & write protecting new key...");
-        REG_WRITE(EFUSE_BLK0_WDATA0_REG, EFUSE_WR_DIS_BLK1 | EFUSE_RD_DIS_BLK1);
-        esp_efuse_burn_new_values();
+        /* On-device key generation is temporarily disabled, until
+         * RNG operation during bootloader is qualified.
+         * See docs/security/flash-encryption.rst for details. */
+        ESP_LOGE(TAG, "On-device key generation is not yet available.");
+        return ESP_ERR_NOT_SUPPORTED;
     } else {
 
         if(!(efuse_key_read_protected && efuse_key_write_protected)) {
diff --git a/components/bootloader_support/src/secure_boot.c b/components/bootloader_support/src/secure_boot.c
index 0230e85ad5..c5ae1f19ea 100644
--- a/components/bootloader_support/src/secure_boot.c
+++ b/components/bootloader_support/src/secure_boot.c
@@ -130,21 +130,12 @@ esp_err_t esp_secure_boot_permanently_enable(void) {
         && REG_READ(EFUSE_BLK2_RDATA5_REG) == 0
         && REG_READ(EFUSE_BLK2_RDATA6_REG) == 0
         && REG_READ(EFUSE_BLK2_RDATA7_REG) == 0) {
-        ESP_LOGI(TAG, "Generating new secure boot key...");
-        uint32_t buf[8];
-        bootloader_fill_random(buf, sizeof(buf));
-        for (int i = 0; i < 8; i++) {
-            ESP_LOGV(TAG, "EFUSE_BLK2_WDATA%d_REG = 0x%08x", i, buf[i]);
-            REG_WRITE(EFUSE_BLK2_WDATA0_REG + 4*i, buf[i]);
-        }
-        bzero(buf, sizeof(buf));
-        burn_efuses();
-        ESP_LOGI(TAG, "Read & write protecting new key...");
-        REG_WRITE(EFUSE_BLK0_WDATA0_REG, EFUSE_WR_DIS_BLK2 | EFUSE_RD_DIS_BLK2);
-        burn_efuses();
-        efuse_key_read_protected = true;
-        efuse_key_write_protected = true;
 
+        /* On-device key generation is temporarily disabled, until
+         * RNG operation during bootloader is qualified.
+         * See docs/security/secure-boot.rst for details. */
+        ESP_LOGE(TAG, "On-device key generation is not yet available.");
+        return ESP_ERR_NOT_SUPPORTED;
     } else {
         ESP_LOGW(TAG, "Using pre-loaded secure boot key in EFUSE block 2");
     }
diff --git a/docs/security/flash-encryption.rst b/docs/security/flash-encryption.rst
index 298a0a75bf..b73d8a9ad3 100644
--- a/docs/security/flash-encryption.rst
+++ b/docs/security/flash-encryption.rst
@@ -7,6 +7,9 @@ Flash Encryption is separate from the `Secure Boot` feature, and you can use fla
 
 **IMPORTANT: Enabling flash encryption limits your options for further updates of your ESP32. Make sure to read this document (including `Limitations of Flash Encryption` and understand the implications of enabling flash encryption.**
 
+**IMPORTANT: Flash Encryption feature is currently enabled for development use only, with a key generated on the host. The recommended production configuration, where the flash encryption key is generated by the device on first boot, is currently disabled while final testing is done. This documentation refers to flash encryption keys being generated on first boot, however for now it is necessary to follow the additional steps shown under `Precalculated Flash Encryption Key`.**
+
+
 Background
 ----------
 
diff --git a/docs/security/secure-boot.rst b/docs/security/secure-boot.rst
index ef969538b9..65b6bab48f 100644
--- a/docs/security/secure-boot.rst
+++ b/docs/security/secure-boot.rst
@@ -5,7 +5,7 @@ Secure Boot is a feature for ensuring only your code can run on the chip. Data l
 
 Secure Boot is separate from the `Flash Encryption` feature, and you can use secure boot without encrypting the flash contents. However we recommend using both features together for a secure environment.
 
-**IMPORTANT: As Encrypted Flash feature and related security features are not yet released, Secure Boot should not be considered sufficient for a secure device and we strongly recommend not enabling the one-time secure bootloader feature until it is mature.**
+**IMPORTANT: Secure Boot feature is currently enabled for development use only, with a key generated on the host. The recommended production configuration, where the secure boot key is generated by the device on first boot, is currently disabled while final testing is done. This documentation refers to "One-Time Flashable" mode (where keys are generated on the device), but for now only the `Re-Flashable Software Bootloader` mode is available.**
 
 Background
 ----------