diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild
index ccccee451b7..acf65a932e5 100644
--- a/components/bootloader/Kconfig.projbuild
+++ b/components/bootloader/Kconfig.projbuild
@@ -833,7 +833,6 @@ menu "Security features"
         bool "Enable flash encryption on boot (READ DOCS FIRST)"
         default N
         select SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE
-        select NVS_ENCRYPTION
         help
             If this option is set, flash contents will be encrypted by the bootloader on first boot.
 
diff --git a/components/nvs_flash/test_apps/main/test_nvs.c b/components/nvs_flash/test_apps/main/test_nvs.c
index 45abee6831e..4b34e5bddf4 100644
--- a/components/nvs_flash/test_apps/main/test_nvs.c
+++ b/components/nvs_flash/test_apps/main/test_nvs.c
@@ -97,12 +97,6 @@ TEST_CASE("nvs_flash_init_partition_ptr() works correctly", "[nvs]")
 }
 
 #ifdef CONFIG_SOC_HMAC_SUPPORTED
-/* TODO: This test does not run in CI as the runner assigned has
- * flash encryption enabled by default. Enabling flash encryption
- * 'selects' NVS encryption; a new runner needs to be setup
- * for testing the HMAC NVS encryption scheme without flash encryption
- * enabled for this test.
- */
 TEST_CASE("test nvs encryption with HMAC-based scheme without toggling any config options", "[nvs_encr_hmac]")
 {
     nvs_handle_t handle;
diff --git a/components/nvs_flash/test_apps/pytest_nvs_flash.py b/components/nvs_flash/test_apps/pytest_nvs_flash.py
index 1da98e2da0a..174664912ed 100644
--- a/components/nvs_flash/test_apps/pytest_nvs_flash.py
+++ b/components/nvs_flash/test_apps/pytest_nvs_flash.py
@@ -26,6 +26,13 @@ def test_nvs_flash_encr_hmac(dut: IdfDut) -> None:
     dut.run_all_single_board_cases()
 
 
+@pytest.mark.esp32c3
+@pytest.mark.nvs_encr_hmac
+@pytest.mark.parametrize('config', ['nvs_encr_hmac_no_cfg_esp32c3'], indirect=True)
+def test_nvs_flash_encr_hmac_no_cfg(dut: IdfDut) -> None:
+    dut.run_all_single_board_cases(group='nvs_encr_hmac', timeout=120)
+
+
 @pytest.mark.flash_encryption
 @pytest.mark.parametrize('config', CONFIGS_NVS_ENCR_FLASH_ENC, indirect=True)
 def test_nvs_flash_encr_flash_enc(dut: IdfDut) -> None:
diff --git a/components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_hmac_no_cfg_esp32c3 b/components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_hmac_no_cfg_esp32c3
new file mode 100644
index 00000000000..6d5be69e260
--- /dev/null
+++ b/components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_hmac_no_cfg_esp32c3
@@ -0,0 +1,22 @@
+# Restricting to ESP32C3
+CONFIG_IDF_TARGET="esp32c3"
+
+# NOTE: The runner for this test-app has flash-encryption enabled
+# Partition Table
+CONFIG_PARTITION_TABLE_CUSTOM=y
+CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions_nvs_encr_flash_enc.csv"
+CONFIG_PARTITION_TABLE_FILENAME="partitions_nvs_encr_flash_enc.csv"
+CONFIG_PARTITION_TABLE_OFFSET=0x9000
+
+# Enabling Flash Encryption
+CONFIG_SECURE_FLASH_ENC_ENABLED=y
+CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=y
+CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC=y
+CONFIG_SECURE_BOOT_ALLOW_JTAG=y
+CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y
+CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y
+CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y
+CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y
+
+# Disabling NVS encryption
+CONFIG_NVS_ENCRYPTION=n
diff --git a/docs/en/api-reference/storage/nvs_encryption.rst b/docs/en/api-reference/storage/nvs_encryption.rst
index e9fbaeaa055..ae4fc04eed2 100644
--- a/docs/en/api-reference/storage/nvs_encryption.rst
+++ b/docs/en/api-reference/storage/nvs_encryption.rst
@@ -20,7 +20,13 @@ NVS Encryption: Flash Encryption-Based Scheme
 
 In this scheme, the keys required for NVS encryption are stored in yet another partition, which is protected using :doc:`Flash Encryption <../../security/flash-encryption>`. Therefore, enabling :doc:`Flash Encryption <../../security/flash-encryption>` becomes a prerequisite for NVS encryption here.
 
-NVS encryption is enabled by default when :doc:`../../security/flash-encryption` is enabled. This is done because Wi-Fi driver stores credentials (like SSID and passphrase) in the default NVS partition. It is important to encrypt them as default choice if platform level encryption is already enabled.
+.. only:: SOC_HMAC_SUPPORTED
+
+    NVS encryption should be enabled when :doc:`../../security/flash-encryption` is enabled because the Wi-Fi driver stores credentials (like SSID and passphrase) in the default NVS partition. It is important to encrypt them if platform level encryption is already enabled.
+
+.. only:: not SOC_HMAC_SUPPORTED
+
+    NVS encryption is enabled by default when :doc:`../../security/flash-encryption` is enabled. This is done because Wi-Fi driver stores credentials (like SSID and passphrase) in the default NVS partition. It is important to encrypt them as default choice if platform level encryption is already enabled.
 
 For using NVS encryption using this scheme, the partition table must contain the :ref:`nvs_encr_key_partition`. Two partition tables containing the :ref:`nvs_encr_key_partition` are provided for NVS encryption under the partition table option (``menuconfig`` > ``Partition Table``). They can be selected with the project configuration menu (``idf.py menuconfig``). Please refer to the example :example:`security/flash_encryption` for how to configure and use the NVS encryption feature.
 
diff --git a/docs/en/migration-guides/release-5.x/5.2/index.rst b/docs/en/migration-guides/release-5.x/5.2/index.rst
index c497099d32b..79168d86655 100644
--- a/docs/en/migration-guides/release-5.x/5.2/index.rst
+++ b/docs/en/migration-guides/release-5.x/5.2/index.rst
@@ -9,5 +9,6 @@ Migration from 5.1 to 5.2
     gcc
     peripherals
     protocols
+    storage
     system
     wifi
diff --git a/docs/en/migration-guides/release-5.x/5.2/storage.rst b/docs/en/migration-guides/release-5.x/5.2/storage.rst
new file mode 100644
index 00000000000..b8408f3b66d
--- /dev/null
+++ b/docs/en/migration-guides/release-5.x/5.2/storage.rst
@@ -0,0 +1,11 @@
+Storage
+=======
+
+:link_to_translation:`zh_CN:[中文]`
+
+NVS Encryption
+--------------
+
+- For SoCs with the HMAC peripheral (``SOC_HMAC_SUPPORTED``), turning on :doc:`Flash Encryption <../../../security/flash-encryption>` will no longer automatically turn on :doc:`NVS encryption <../../../api-reference/storage/nvs_encryption>`.
+- You will need to explicitly turn on NVS encryption and select the required scheme (flash encryption-based or HMAC peripheral-based). You can select the HMAC peripheral-based scheme (:ref:`CONFIG_NVS_SEC_KEY_PROTECTION_SCHEME`), even if flash encryption is not enabled.
+- SoCs without the HMAC peripheral will still automatically turn on NVS encryption when flash encryption is enabled.
diff --git a/docs/zh_CN/migration-guides/release-5.x/5.2/index.rst b/docs/zh_CN/migration-guides/release-5.x/5.2/index.rst
index 3e1477075ae..239b91a7ca6 100644
--- a/docs/zh_CN/migration-guides/release-5.x/5.2/index.rst
+++ b/docs/zh_CN/migration-guides/release-5.x/5.2/index.rst
@@ -9,5 +9,6 @@
     gcc
     peripherals
     protocols
+    storage
     system
     wifi
diff --git a/docs/zh_CN/migration-guides/release-5.x/5.2/storage.rst b/docs/zh_CN/migration-guides/release-5.x/5.2/storage.rst
new file mode 100644
index 00000000000..a7c49ffe7db
--- /dev/null
+++ b/docs/zh_CN/migration-guides/release-5.x/5.2/storage.rst
@@ -0,0 +1 @@
+.. include:: ../../../../en/migration-guides/release-5.x/5.2/storage.rst