diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild
index 5af223c0ad..d494cb0559 100644
--- a/components/bootloader/Kconfig.projbuild
+++ b/components/bootloader/Kconfig.projbuild
@@ -168,12 +168,17 @@ menu "Potentially insecure options"
 
 config SECURE_BOOT_ALLOW_ROM_BASIC
        bool "Leave ROM BASIC Interpreter available on reset"
-       depends on SECURE_BOOT_INSECURE
+       depends on SECURE_BOOT_INSECURE || FLASH_ENCRYPTION_INSECURE
        default N
        help
-          If not set (default), bootloader permanently disables ROM BASIC (on UART console) as a fallback if the bootloader image becomes invalid. This happens on first boot.
+          By default, the BASIC ROM Console starts on reset if no valid bootloader is
+          read from the flash.
 
-          Only set this option in testing environments.
+          When either flash encryption or secure boot are enabled, the default is to
+          disable this BASIC fallback mode permanently via efuse.
+
+          If this option is set, this efuse is not burned and the BASIC ROM Console may
+          remain accessible.  Only set this option in testing environments.
 
 config SECURE_BOOT_ALLOW_JTAG
        bool "Allow JTAG Debugging"
diff --git a/components/bootloader_support/src/flash_encrypt.c b/components/bootloader_support/src/flash_encrypt.c
index eff15b7ca4..290a02a911 100644
--- a/components/bootloader_support/src/flash_encrypt.c
+++ b/components/bootloader_support/src/flash_encrypt.c
@@ -139,6 +139,12 @@ static esp_err_t initialise_flash_encryption(void)
 #else
     ESP_LOGW(TAG, "Not disabling JTAG - SECURITY COMPROMISED");
 #endif
+#ifndef CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC
+    ESP_LOGI(TAG, "Disable ROM BASIC interpreter fallback...");
+    new_wdata6 |= EFUSE_RD_CONSOLE_DEBUG_DISABLE;
+#else
+    ESP_LOGW(TAG, "Not disabling ROM BASIC fallback - SECURITY COMPROMISED");
+#endif
 
     if (new_wdata6 != 0) {
         REG_WRITE(EFUSE_BLK0_WDATA6_REG, new_wdata6);