diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 19204d228..364cfc71e 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1097,7 +1097,7 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
         goto end;
     }
 
-    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT );
+    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT );
     psa_set_key_algorithm( &attributes, alg );
 
     transform->psa_alg = alg;
@@ -1111,6 +1111,9 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
         ret = psa_status_to_mbedtls( status );
         goto end;
     }
+
+    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT );
+
     if( ( status = psa_import_key( &attributes,
                              key2,
                              PSA_BITS_TO_BYTES( key_bits ),
diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
index e7c8e722c..0aade35b0 100644
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c
@@ -932,7 +932,7 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform,
         return( psa_status_to_mbedtls( status ) );
     }
 
-    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT );
+    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT );
     psa_set_key_algorithm( &attributes, alg );
 
     transform->psa_alg = alg;
@@ -945,6 +945,9 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform,
         MBEDTLS_SSL_DEBUG_RET( 1, "psa_import_key", psa_status_to_mbedtls( status ) );
         return( psa_status_to_mbedtls( status ) );
     }
+
+    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT );
+
     if( ( status = psa_import_key( &attributes,
                              key_dec,
                              PSA_BITS_TO_BYTES( key_bits ),