diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild
index 4579fd41c9..38f5aa2ec9 100644
--- a/components/bootloader/Kconfig.projbuild
+++ b/components/bootloader/Kconfig.projbuild
@@ -811,6 +811,10 @@ menu "Security features"
             Release mode should always be selected for production or manufacturing. Once enabled it's no longer
             possible for the device in ROM Download Mode to use the flash encryption hardware.
 
+            When EFUSE_VIRTUAL is enabled, SECURE_FLASH_ENCRYPTION_MODE_RELEASE is not available.
+            For CI tests we use IDF_CI_BUILD to bypass it ("export IDF_CI_BUILD=1").
+            We do not recommend bypassing it for other purposes.
+
             Refer to the Flash Encryption section of the ESP-IDF Programmer's Guide for details.
 
         config SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
@@ -820,6 +824,7 @@ menu "Security features"
         config SECURE_FLASH_ENCRYPTION_MODE_RELEASE
             bool "Release"
             select PARTITION_TABLE_MD5 if !APP_COMPATIBLE_PRE_V3_1_BOOTLOADERS
+            depends on !EFUSE_VIRTUAL || IDF_CI_BUILD
 
     endchoice
 
diff --git a/components/bootloader_support/src/flash_encryption/flash_encrypt.c b/components/bootloader_support/src/flash_encryption/flash_encrypt.c
index 8ff0e27a3d..d8f426e158 100644
--- a/components/bootloader_support/src/flash_encryption/flash_encrypt.c
+++ b/components/bootloader_support/src/flash_encryption/flash_encrypt.c
@@ -313,6 +313,10 @@ esp_err_t esp_flash_encrypt_enable(void)
 
     ESP_LOGI(TAG, "Flash encryption completed");
 
+#if CONFIG_EFUSE_VIRTUAL
+    ESP_LOGW(TAG, "Flash encryption not really completed. Must disable virtual efuses");
+#endif
+
     return err;
 }
 
diff --git a/components/efuse/Kconfig b/components/efuse/Kconfig
index 744b359869..3e186556d2 100644
--- a/components/efuse/Kconfig
+++ b/components/efuse/Kconfig
@@ -23,6 +23,9 @@ menu "eFuse Bit Manager"
             to RAM instead of eFuse registers, all permanent changes (via eFuse) are disabled.
             Log output will state changes that would be applied, but they will not be.
 
+            If it is "y", then SECURE_FLASH_ENCRYPTION_MODE_RELEASE cannot be used.
+            Because the EFUSE VIRT mode is for testing only.
+
             During startup, the eFuses are copied into RAM. This mode is useful for fast tests.
 
     config EFUSE_VIRTUAL_KEEP_IN_FLASH