diff --git a/include/osmocom/sgsn/sgsn.h b/include/osmocom/sgsn/sgsn.h
index 5b29873b6..8823dea18 100644
--- a/include/osmocom/sgsn/sgsn.h
+++ b/include/osmocom/sgsn/sgsn.h
@@ -76,7 +76,7 @@ struct sgsn_config {
 	struct gprs_ns2_inst *nsi;
 
 	enum sgsn_auth_policy auth_policy;
-	uint8_t cipher_support_mask;
+	uint8_t gea_encryption_mask;
 	struct llist_head imsi_acl;
 
 	struct sockaddr_in gsup_server_addr;
diff --git a/src/sgsn/gprs_gmm.c b/src/sgsn/gprs_gmm.c
index 1f68558ef..dfe477cb8 100644
--- a/src/sgsn/gprs_gmm.c
+++ b/src/sgsn/gprs_gmm.c
@@ -1319,11 +1319,11 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg,
 
 	ctx->ue_cipher_mask = gprs_ms_net_cap_gea_mask(ctx->ms_network_capa.buf, msnc_len);
 
-	if (!(ctx->ue_cipher_mask & sgsn->cfg.cipher_support_mask)) {
+	if (!(ctx->ue_cipher_mask & sgsn->cfg.gea_encryption_mask)) {
 		reject_cause = GMM_CAUSE_PROTO_ERR_UNSPEC;
 		LOGMMCTXP(LOGL_NOTICE, ctx, "Rejecting ATTACH REQUEST with MI "
 			  "%s because MS do not support required encryption, mask UE:0x%02x NW:0x%02x \n",
-				  mi_log_string, ctx->ue_cipher_mask, sgsn->cfg.cipher_support_mask);
+				  mi_log_string, ctx->ue_cipher_mask, sgsn->cfg.gea_encryption_mask);
 		goto rejected;
 	}
 
@@ -1335,7 +1335,7 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg,
 	 * So let's just assume we will have the auth data required to make it work.
 	 */
 
-	ctx->ciph_algo = gprs_ms_net_select_best_gea(ctx->ue_cipher_mask, sgsn->cfg.cipher_support_mask);
+	ctx->ciph_algo = gprs_ms_net_select_best_gea(ctx->ue_cipher_mask, sgsn->cfg.gea_encryption_mask);
 
 #ifdef PTMSI_ALLOC
 	/* Allocate a new P-TMSI (+ P-TMSI signature) and update TLLI */
diff --git a/src/sgsn/sgsn_vty.c b/src/sgsn/sgsn_vty.c
index 6327d1a3d..56a2d78bd 100644
--- a/src/sgsn/sgsn_vty.c
+++ b/src/sgsn/sgsn_vty.c
@@ -251,11 +251,11 @@ static int config_write_sgsn(struct vty *vty)
 	for (server = sgsn->ares_servers; server; server = server->next)
 		vty_out(vty, " grx-dns-add %s%s", inet_ntoa(server->addr.addr4), VTY_NEWLINE);
 
-	if (g_cfg->cipher_support_mask != 0) {
+	if (g_cfg->gea_encryption_mask != 0) {
 		vty_out(vty, " encryption gea");
 
 		for (i = 0; i < _GPRS_ALGO_NUM; i++)
-			if (g_cfg->cipher_support_mask >> i & 1)
+			if (g_cfg->gea_encryption_mask >> i & 1)
 				vty_out(vty, " %u", i);
 
 		vty_out(vty, "%s", VTY_NEWLINE);
@@ -770,7 +770,7 @@ DEFUN_DEPRECATED(cfg_encrypt, cfg_encrypt_cmd,
 		}
 	}
 
-	g_cfg->cipher_support_mask |= (1 << c);
+	g_cfg->gea_encryption_mask |= (1 << c);
 
 	return CMD_SUCCESS;
 }
@@ -787,12 +787,12 @@ DEFUN(cfg_encrypt2, cfg_encrypt2_cmd,
 {
 	int i = 0;
 
-	g_cfg->cipher_support_mask = 0;
+	g_cfg->gea_encryption_mask = 0;
 	for (i = 0; i < argc; i++)
-		g_cfg->cipher_support_mask |= (1 << atoi(argv[i]));
+		g_cfg->gea_encryption_mask |= (1 << atoi(argv[i]));
 
 	for (i = 0; i < _GPRS_ALGO_NUM; i++) {
-		if (g_cfg->cipher_support_mask >> i & 1) {
+		if (g_cfg->gea_encryption_mask >> i & 1) {
 
 			if (i == GPRS_ALGO_GEA0)
 				continue;
@@ -1783,7 +1783,7 @@ int sgsn_parse_config(const char *config_file)
 	/* make sure sgsn_vty_init() was called before this */
 	OSMO_ASSERT(g_cfg);
 
-	g_cfg->cipher_support_mask = 0x1; /* support GEA0 by default unless specific encryption config exists */
+	g_cfg->gea_encryption_mask = 0x1; /* support GEA0 by default unless specific encryption config exists */
 
 	rc = vty_read_config_file(config_file, NULL);
 	if (rc < 0) {
diff --git a/tests/sgsn/sgsn_test.c b/tests/sgsn/sgsn_test.c
index 562ae845d..2c41e8ea3 100644
--- a/tests/sgsn/sgsn_test.c
+++ b/tests/sgsn/sgsn_test.c
@@ -48,7 +48,7 @@ static struct sgsn_instance sgsn_inst = {
 	.cfg = {
 		.gtp_statedir = "./",
 		.auth_policy = SGSN_AUTH_POLICY_CLOSED,
-		.cipher_support_mask = 0x1,
+		.gea_encryption_mask = 0x1,
 	},
 };
 struct sgsn_instance *sgsn = &sgsn_inst;