diff --git a/src/main/java/org/commcare/util/EncryptionHelper.java b/src/main/java/org/commcare/util/EncryptionHelper.java
index f490984f6..83897670d 100644
--- a/src/main/java/org/commcare/util/EncryptionHelper.java
+++ b/src/main/java/org/commcare/util/EncryptionHelper.java
@@ -23,7 +23,13 @@ public class EncryptionHelper {
 
     public enum CryptographicOperation {Encryption, Decryption}
 
-    private IEncryptionKeyProvider encryptionKeyProvider = EncryptionKeyServiceProvider.getInstance().serviceImpl();
+    private IEncryptionKeyProvider encryptionKeyProvider;
+    private boolean useKeyStoreIfAvailable;
+
+    public EncryptionHelper(boolean useKeyStoreIfAvailable) {
+        encryptionKeyProvider = EncryptionKeyServiceProvider.getInstance().serviceImpl(useKeyStoreIfAvailable);
+        this.useKeyStoreIfAvailable = useKeyStoreIfAvailable;
+    }
 
     public IEncryptionKeyProvider getEncryptionKeyProvider() {
         return encryptionKeyProvider;
@@ -33,18 +39,10 @@ public void setEncryptionKeyProvider(IEncryptionKeyProvider newEncryptionKeyProv
         encryptionKeyProvider = newEncryptionKeyProvider;
     }
 
-    public void reloadEncryptionKeyProvider() {
-        encryptionKeyProvider = EncryptionKeyServiceProvider.getInstance().serviceImpl();
+    public void reloadDefaultEncryptionKeyProvider() {
+        encryptionKeyProvider = EncryptionKeyServiceProvider.getInstance().serviceImpl(useKeyStoreIfAvailable);
     }
 
-
-
-
-
-
-
-
-
     /**
      * Encrypts a message using the AES or RAS algorithms and produces a base64 encoded payload
      * containing the ciphertext, and when applicable, a random IV which was used to encrypt
diff --git a/src/main/java/org/commcare/util/EncryptionKeyServiceProvider.java b/src/main/java/org/commcare/util/EncryptionKeyServiceProvider.java
index 267804991..fd1ca5d4c 100644
--- a/src/main/java/org/commcare/util/EncryptionKeyServiceProvider.java
+++ b/src/main/java/org/commcare/util/EncryptionKeyServiceProvider.java
@@ -25,17 +25,19 @@ public static EncryptionKeyServiceProvider getInstance() {
         return serviceProvider;
     }
 
-    public IEncryptionKeyProvider serviceImpl() {
+    public IEncryptionKeyProvider serviceImpl(boolean useKeyStoreIfAvailable) {
         IEncryptionKeyProvider service = null;
         if (loader.iterator().hasNext()) {
             service = loader.iterator().next();
+            if (service.isKeyStoreAvailable() && useKeyStoreIfAvailable) {
+                return service;
+            }
         }
-
+        // In case the preference is not available, this will default to the last provider, if any
         if (service != null) {
             return service;
         } else {
-            throw new NoSuchElementException(
-                    "No implementation for IEncryptionKeyProvider");
+            throw new NoSuchElementException("No implementation for IEncryptionKeyProvider");
         }
     }
 }
diff --git a/src/main/java/org/javarosa/core/model/User.java b/src/main/java/org/javarosa/core/model/User.java
index f5a6de6a3..c271a658a 100644
--- a/src/main/java/org/javarosa/core/model/User.java
+++ b/src/main/java/org/javarosa/core/model/User.java
@@ -50,7 +50,7 @@ public class User implements Persistable, Restorable, IMetaData {
     private byte[] wrappedKey;
 
     public Hashtable<String, String> properties = new Hashtable<>();
-    private EncryptionHelper encryptionHelper = new EncryptionHelper();
+    private EncryptionHelper encryptionHelper = new EncryptionHelper(true);
 
     // plaintextCachedPwd and encryptedCachedPwd are used to store the password in memory, should
     // not to be persisted. For aspects related to persisting the password, refer to passwordHash
diff --git a/src/main/java/org/javarosa/xpath/expr/XPathDecryptStringFunc.java b/src/main/java/org/javarosa/xpath/expr/XPathDecryptStringFunc.java
index cbd5a1aeb..811a04e5c 100644
--- a/src/main/java/org/javarosa/xpath/expr/XPathDecryptStringFunc.java
+++ b/src/main/java/org/javarosa/xpath/expr/XPathDecryptStringFunc.java
@@ -14,7 +14,7 @@ public class XPathDecryptStringFunc extends XPathFuncExpr {
 
     public static final String NAME = "decrypt-string";
     private static final int EXPECTED_ARG_COUNT = 3;
-    private EncryptionHelper encryptionHelper = new EncryptionHelper();
+    private EncryptionHelper encryptionHelper = new EncryptionHelper(false);
 
     public XPathDecryptStringFunc() {
         name = NAME;
diff --git a/src/main/java/org/javarosa/xpath/expr/XPathEncryptStringFunc.java b/src/main/java/org/javarosa/xpath/expr/XPathEncryptStringFunc.java
index 6d1ce5fe3..add3064d3 100644
--- a/src/main/java/org/javarosa/xpath/expr/XPathEncryptStringFunc.java
+++ b/src/main/java/org/javarosa/xpath/expr/XPathEncryptStringFunc.java
@@ -15,7 +15,7 @@
 public class XPathEncryptStringFunc extends XPathFuncExpr {
     public static final String NAME = "encrypt-string";
     private static final int EXPECTED_ARG_COUNT = 3;
-    private EncryptionHelper encryptionHelper = new EncryptionHelper();
+    private EncryptionHelper encryptionHelper = new EncryptionHelper(false);
 
     public XPathEncryptStringFunc() {
         name = NAME;