diff --git a/makefiles/suit.inc.mk b/makefiles/suit.inc.mk
index 9d59290c6b..64f25a0ff7 100644
--- a/makefiles/suit.inc.mk
+++ b/makefiles/suit.inc.mk
@@ -32,10 +32,6 @@ SUIT_MANIFEST_SIGNED_LATEST ?= $(BINDIR_SUIT)/$(SUIT_MANIFEST_BASENAME).latest.b
 SUIT_NOTIFY_VERSION ?= latest
 SUIT_NOTIFY_MANIFEST ?= $(SUIT_MANIFEST_BASENAME).$(SUIT_NOTIFY_VERSION).bin
 
-ifneq (,$(SUIT_SEC_PASSWORD))
-  SUIT_TOOL_ARGS += -p $(SUIT_SEC_PASSWORD)
-endif
-
 # Long manifest names require more buffer space when parsing
 export CFLAGS += -DCONFIG_SOCK_URLPATH_MAXLEN=128
 export CFLAGS += -DSUIT_VENDOR_DOMAIN="\"$(SUIT_VENDOR)\""
@@ -58,7 +54,19 @@ $(SUIT_MANIFEST): $(SUIT_MANIFEST_PAYLOADS) $(BINDIR_SUIT)
 	$(Q)rm -f $@.tmp
 
 $(SUIT_MANIFEST_SIGNED): $(SUIT_MANIFEST) $(SUIT_SEC)
-	$(Q)$(SUIT_TOOL) sign $(SUIT_TOOL_ARGS) -k $(SUIT_SEC_SIGN) -m $(SUIT_MANIFEST) -o $@
+	$(Q)(											\
+	if grep -q ENCRYPTED $(SUIT_SEC_SIGN); then						\
+		if [ -z "$(SUIT_SEC_PASSWORD)" ]; then						\
+			printf "Enter encryption for key file $(SUIT_SEC_SIGN): ";		\
+			read PASSWORD;								\
+		else										\
+			PASSWORD="$(SUIT_SEC_PASSWORD)";					\
+		fi;										\
+		$(SUIT_TOOL) sign -p "$$PASSWORD" -k $(SUIT_SEC_SIGN) -m $(SUIT_MANIFEST) -o $@;\
+	else											\
+		$(SUIT_TOOL) sign -k $(SUIT_SEC_SIGN) -m $(SUIT_MANIFEST) -o $@;		\
+	fi											\
+	)
 
 $(SUIT_MANIFEST_LATEST): $(SUIT_MANIFEST)
 	$(Q)ln -f -s $< $@