diff --git a/doc/manuals/chapters/net.adoc b/doc/manuals/chapters/net.adoc
index 431455d15..4bf34a33f 100644
--- a/doc/manuals/chapters/net.adoc
+++ b/doc/manuals/chapters/net.adoc
@@ -189,6 +189,10 @@ network
 While authentication is always required on 3G, ciphering is optional.
 
 So far OsmoMSC lacks explicit configuration for ciphering on 3G. As an interim
-solution, ciphering is always enabled on 3G.
+solution, ciphering is enabled on 3G exactly when ciphering is enabled on 2G,
+i.e. when any cipher other than A5/0 is enabled in the configuration. If only
+A5/0 is configured, ciphering will be disabled on both 2G and 3G. The future
+aim is to add comprehensive configuration for 3G ciphering that is independent
+from the 2G setting.
 
 OsmoMSC indicates UEA1 and UEA2 as permitted encryption algorithms on 3G.
diff --git a/src/libmsc/gsm_04_08.c b/src/libmsc/gsm_04_08.c
index ee317476c..cd37cff05 100644
--- a/src/libmsc/gsm_04_08.c
+++ b/src/libmsc/gsm_04_08.c
@@ -375,7 +375,7 @@ static int mm_rx_loc_upd_req(struct msc_a *msc_a, struct msgb *msg)
 				net->vlr, msc_a, vlr_lu_type, tmsi, imsi,
 				&old_lai, &msc_a->via_cell.lai,
 				is_utran || net->authentication_required,
-				is_utran || net->a5_encryption_mask > 0x01,
+				net->a5_encryption_mask > 0x01,
 				lu->key_seq,
 				osmo_gsm48_classmark1_is_r99(&lu->classmark1),
 				is_utran,
@@ -780,7 +780,7 @@ int gsm48_rx_mm_serv_req(struct msc_a *msc_a, struct msgb *msg)
 			 req->cm_service_type,
 			 mi-1, &msc_a->via_cell.lai,
 			 is_utran || net->authentication_required,
-			 is_utran || net->a5_encryption_mask > 0x01,
+			 net->a5_encryption_mask > 0x01,
 			 req->cipher_key_seq,
 			 osmo_gsm48_classmark2_is_r99(cm2, cm2_len),
 			 is_utran);
@@ -1152,7 +1152,7 @@ static int gsm48_rx_rr_pag_resp(struct msc_a *msc_a, struct msgb *msg)
 			 net->vlr, msc_a,
 			 VLR_PR_ARQ_T_PAGING_RESP, 0, mi_lv, &msc_a->via_cell.lai,
 			 is_utran || net->authentication_required,
-			 is_utran || net->a5_encryption_mask > 0x01,
+			 net->a5_encryption_mask > 0x01,
 			 pr->key_seq,
 			 osmo_gsm48_classmark2_is_r99(cm2, classmark2_len),
 			 is_utran);
diff --git a/src/libmsc/msc_vty.c b/src/libmsc/msc_vty.c
index 8ef48ff51..5bf970163 100644
--- a/src/libmsc/msc_vty.c
+++ b/src/libmsc/msc_vty.c
@@ -148,7 +148,10 @@ DEFUN(cfg_net_encryption,
       cfg_net_encryption_cmd,
       "encryption a5 <0-3> [<0-3>] [<0-3>] [<0-3>]",
 	"Encryption options\n"
-	"GSM A5 Air Interface Encryption\n"
+	"GSM A5 Air Interface Encryption."
+	  " NOTE: as long as OsmoMSC lacks distinct configuration for 3G encryption,"
+	  " 3G encryption is enabled exactly when any 2G encryption is enabled."
+	  " Hence configuring only A5/0 here switches off 3G encryption.\n"
 	"A5/n Algorithm Number\n"
 	"A5/n Algorithm Number\n"
 	"A5/n Algorithm Number\n"
diff --git a/tests/msc_vlr/msc_vlr_test_authen_reuse.c b/tests/msc_vlr/msc_vlr_test_authen_reuse.c
index d73a5f8c5..62ea6c7b5 100644
--- a/tests/msc_vlr/msc_vlr_test_authen_reuse.c
+++ b/tests/msc_vlr/msc_vlr_test_authen_reuse.c
@@ -266,6 +266,8 @@ static void _test_auth_reuse(enum osmo_rat_type via_ran,
 static void test_auth_use_twice_geran()
 {
 	comment_start();
+	/* A5/0 = no encryption */
+	net->a5_encryption_mask = A5_0;
 	_test_auth_reuse(OSMO_RAT_GERAN_A, 1, 1, true);
 	comment_end();
 }
@@ -273,6 +275,8 @@ static void test_auth_use_twice_geran()
 static void test_auth_use_twice_utran()
 {
 	comment_start();
+	/* A5/0 + A5/3 = encryption enabled; so far the A5 setting also triggers UTRAN encryption */
+	net->a5_encryption_mask = A5_0_3;
 	_test_auth_reuse(OSMO_RAT_UTRAN_IU, 1, 1, true);
 	comment_end();
 }
@@ -280,6 +284,8 @@ static void test_auth_use_twice_utran()
 static void test_auth_use_infinitely_geran()
 {
 	comment_start();
+	/* A5/0 = no encryption */
+	net->a5_encryption_mask = A5_0;
 	_test_auth_reuse(OSMO_RAT_GERAN_A, -1, 3, false);
 	comment_end();
 }
@@ -287,6 +293,8 @@ static void test_auth_use_infinitely_geran()
 static void test_auth_use_infinitely_utran()
 {
 	comment_start();
+	/* A5/0 + A5/3 = encryption enabled; so far the A5 setting also triggers UTRAN encryption */
+	net->a5_encryption_mask = A5_0_3;
 	_test_auth_reuse(OSMO_RAT_UTRAN_IU, -1, 3, false);
 	comment_end();
 }
@@ -294,6 +302,8 @@ static void test_auth_use_infinitely_utran()
 static void test_no_auth_reuse_geran()
 {
 	comment_start();
+	/* A5/0 = no encryption */
+	net->a5_encryption_mask = A5_0;
 	_test_auth_reuse(OSMO_RAT_GERAN_A, 0, 0, true);
 	comment_end();
 }
@@ -301,6 +311,8 @@ static void test_no_auth_reuse_geran()
 static void test_no_auth_reuse_utran()
 {
 	comment_start();
+	/* A5/0 + A5/3 = encryption enabled; so far the A5 setting also triggers UTRAN encryption */
+	net->a5_encryption_mask = A5_0_3;
 	_test_auth_reuse(OSMO_RAT_UTRAN_IU, 0, 0, true);
 	comment_end();
 }
diff --git a/tests/msc_vlr/msc_vlr_test_call.c b/tests/msc_vlr/msc_vlr_test_call.c
index 065af2555..cec2f8da0 100644
--- a/tests/msc_vlr/msc_vlr_test_call.c
+++ b/tests/msc_vlr/msc_vlr_test_call.c
@@ -46,6 +46,7 @@ static void standard_lu()
 	struct vlr_subscr *vsub;
 
 	net->authentication_required = true;
+	net->a5_encryption_mask = A5_0_3;
 	net->vlr->cfg.assign_tmsi = true;
 	rx_from_ran = OSMO_RAT_UTRAN_IU;
 
diff --git a/tests/msc_vlr/msc_vlr_test_umts_authen.c b/tests/msc_vlr/msc_vlr_test_umts_authen.c
index a89b0d1ab..6f8fa01c3 100644
--- a/tests/msc_vlr/msc_vlr_test_umts_authen.c
+++ b/tests/msc_vlr/msc_vlr_test_umts_authen.c
@@ -306,6 +306,8 @@ static void _test_umts_authen(enum osmo_rat_type via_ran)
 static void test_umts_authen_geran()
 {
 	comment_start();
+	/* A5/0 = no encryption */
+	net->a5_encryption_mask = A5_0;
 	_test_umts_authen(OSMO_RAT_GERAN_A);
 	comment_end();
 }
@@ -313,6 +315,8 @@ static void test_umts_authen_geran()
 static void test_umts_authen_utran()
 {
 	comment_start();
+	/* A5/0 + A5/3 = encryption enabled; so far the A5 setting also triggers UTRAN encryption */
+	net->a5_encryption_mask = A5_0_3;
 	_test_umts_authen(OSMO_RAT_UTRAN_IU);
 	comment_end();
 }
@@ -544,6 +548,8 @@ static void _test_umts_authen_resync(enum osmo_rat_type via_ran)
 static void test_umts_authen_resync_geran()
 {
 	comment_start();
+	/* A5/0 = no encryption */
+	net->a5_encryption_mask = A5_0;
 	_test_umts_authen_resync(OSMO_RAT_GERAN_A);
 	comment_end();
 }
@@ -551,6 +557,8 @@ static void test_umts_authen_resync_geran()
 static void test_umts_authen_resync_utran()
 {
 	comment_start();
+	/* A5/0 + A5/3 = encryption enabled; so far the A5 setting also triggers UTRAN encryption */
+	net->a5_encryption_mask = A5_0_3;
 	_test_umts_authen_resync(OSMO_RAT_UTRAN_IU);
 	comment_end();
 }
@@ -644,6 +652,8 @@ static void _test_umts_authen_too_short_res(enum osmo_rat_type via_ran)
 static void test_umts_authen_too_short_res_geran()
 {
 	comment_start();
+	/* A5/0 = no encryption */
+	net->a5_encryption_mask = A5_0;
 	_test_umts_authen_too_short_res(OSMO_RAT_GERAN_A);
 	comment_end();
 }
@@ -651,6 +661,8 @@ static void test_umts_authen_too_short_res_geran()
 static void test_umts_authen_too_short_res_utran()
 {
 	comment_start();
+	/* A5/0 + A5/3 = encryption enabled; so far the A5 setting also triggers UTRAN encryption */
+	net->a5_encryption_mask = A5_0_3;
 	_test_umts_authen_too_short_res(OSMO_RAT_UTRAN_IU);
 	comment_end();
 }
@@ -744,6 +756,8 @@ static void _test_umts_authen_too_long_res(enum osmo_rat_type via_ran)
 static void test_umts_authen_too_long_res_geran()
 {
 	comment_start();
+	/* A5/0 = no encryption */
+	net->a5_encryption_mask = A5_0;
 	_test_umts_authen_too_long_res(OSMO_RAT_GERAN_A);
 	comment_end();
 }
@@ -751,6 +765,8 @@ static void test_umts_authen_too_long_res_geran()
 static void test_umts_authen_too_long_res_utran()
 {
 	comment_start();
+	/* A5/0 + A5/3 = encryption enabled; so far the A5 setting also triggers UTRAN encryption */
+	net->a5_encryption_mask = A5_0_3;
 	_test_umts_authen_too_long_res(OSMO_RAT_UTRAN_IU);
 	comment_end();
 }
@@ -849,6 +865,8 @@ static void _test_umts_authen_only_sres(enum osmo_rat_type via_ran)
 static void test_umts_authen_only_sres_geran()
 {
 	comment_start();
+	/* A5/0 = no encryption */
+	net->a5_encryption_mask = A5_0;
 	_test_umts_authen_only_sres(OSMO_RAT_GERAN_A);
 	comment_end();
 }
@@ -856,6 +874,8 @@ static void test_umts_authen_only_sres_geran()
 static void test_umts_authen_only_sres_utran()
 {
 	comment_start();
+	/* A5/0 + A5/3 = encryption enabled; so far the A5 setting also triggers UTRAN encryption */
+	net->a5_encryption_mask = A5_0_3;
 	_test_umts_authen_only_sres(OSMO_RAT_UTRAN_IU);
 	comment_end();
 }
diff --git a/tests/msc_vlr/msc_vlr_tests.h b/tests/msc_vlr/msc_vlr_tests.h
index 9df9cf049..4330ea869 100644
--- a/tests/msc_vlr/msc_vlr_tests.h
+++ b/tests/msc_vlr/msc_vlr_tests.h
@@ -32,6 +32,9 @@
 #include <osmocom/msc/msc_a.h>
 #include <osmocom/msc/mncc.h>
 
+#define A5_0 (1 << 0)
+#define A5_0_3 ((1 << 0) | (1 << 3))
+
 extern bool _log_lines;
 #define _log(fmt, args...) do { \
 		if (_log_lines) \