diff --git a/CHANGELOG b/CHANGELOG
index c8aa120ea7..b91d58eaba 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -22,6 +22,7 @@ git-annex (8.20201128) UNRELEASED; urgency=medium
     current directory, rather than the path from the top of the repository.
   * importfeed: Avoid using youtube-dl when a feed does not contain an
     enclosure, but only a link to an url which youtube-dl does not support.
+  * initremote: Prevent enabling encryption with exporttree=yes/importtree=yes.
 
  -- Joey Hess <id@joeyh.name>  Mon, 30 Nov 2020 12:55:49 -0400
 
diff --git a/Remote/Helper/Encryptable.hs b/Remote/Helper/Encryptable.hs
index 25980a937d..296f3836c7 100644
--- a/Remote/Helper/Encryptable.hs
+++ b/Remote/Helper/Encryptable.hs
@@ -20,6 +20,7 @@ module Remote.Helper.Encryptable (
 	cipherKey,
 	extractCipher,
 	isEncrypted,
+	encryptionIsEnabled,
 	describeEncryption,
 	encryptionField,
 	highRandomQualityField
@@ -282,6 +283,14 @@ extractCipher c = case (getRemoteConfigValue cipherField c,
 isEncrypted :: ParsedRemoteConfig -> Bool
 isEncrypted = isJust . extractCipher
 
+-- Check if encryption is enabled. This can be done before encryption
+-- is fully set up yet, so the cipher might not be present yet.
+encryptionIsEnabled :: ParsedRemoteConfig -> Bool
+encryptionIsEnabled c = case getRemoteConfigValue encryptionField c of
+	Nothing -> False
+	Just NoneEncryption -> False
+	Just _ -> True
+
 describeEncryption :: ParsedRemoteConfig -> String
 describeEncryption c = case extractCipher c of
 	Nothing -> "none"
diff --git a/Remote/Helper/ExportImport.hs b/Remote/Helper/ExportImport.hs
index 245b7a940f..27b63bab4d 100644
--- a/Remote/Helper/ExportImport.hs
+++ b/Remote/Helper/ExportImport.hs
@@ -14,7 +14,7 @@ import Types.Remote
 import Types.Key
 import Types.ProposedAccepted
 import Backend
-import Remote.Helper.Encryptable (isEncrypted)
+import Remote.Helper.Encryptable (encryptionIsEnabled)
 import qualified Database.Export as Export
 import qualified Database.ContentIdentifier as ContentIdentifier
 import Annex.Export
@@ -83,7 +83,7 @@ adjustExportImportRemoteType rt = rt { setup = setup' }
 			ifM (supported rt pc gc)
 				( case st of
 					Init
-						| configured pc && isEncrypted pc ->
+						| configured pc && encryptionIsEnabled pc ->
 							giveup $ "cannot enable both encryption and " ++ fromProposedAccepted configfield
 						| otherwise -> cont
 					Enable oldc -> do
diff --git a/doc/bugs/initremote_with_export_and_import_allowed_with_encryption.mdwn b/doc/bugs/initremote_with_export_and_import_allowed_with_encryption.mdwn
index ef3ac00a2f..8f1a6b0cd0 100644
--- a/doc/bugs/initremote_with_export_and_import_allowed_with_encryption.mdwn
+++ b/doc/bugs/initremote_with_export_and_import_allowed_with_encryption.mdwn
@@ -4,3 +4,5 @@ This should be rejected, but currently succeeds:
 
 There is code in adjustExportImportRemoteType, and I remember it used to
 work. --[[Joey]]
+
+> [[fixed|done]] --[[Joey]]