diff --git a/ta/pkcs11/src/processing_asymm.c b/ta/pkcs11/src/processing_asymm.c
index c4c7f6e4a62..2f59922b08f 100644
--- a/ta/pkcs11/src/processing_asymm.c
+++ b/ta/pkcs11/src/processing_asymm.c
@@ -238,9 +238,11 @@ allocate_tee_operation(struct pkcs11_session *session,
 	if (params->id == PKCS11_CKM_RSA_X_509) {
 		assert(!hash_algo);
 		switch (function) {
+		case PKCS11_FUNCTION_ENCRYPT:
 		case PKCS11_FUNCTION_VERIFY:
 			mode = TEE_MODE_ENCRYPT;
 			break;
+		case PKCS11_FUNCTION_DECRYPT:
 		case PKCS11_FUNCTION_SIGN:
 			mode = TEE_MODE_DECRYPT;
 			break;
@@ -826,6 +828,47 @@ enum pkcs11_rc step_asymm_operation(struct pkcs11_session *session,
 
 	case PKCS11_CKM_RSA_X_509:
 		switch (function) {
+		case PKCS11_FUNCTION_ENCRYPT:
+			/*
+			 * Input message size shall be at most the key size
+			 * As encrypting with raw RSA can be unsafe, it
+			 * remains the responsibility of the client to
+			 * prolerly pad the message for safe usage.
+			 */
+			if (in_size > sz) {
+				rc = PKCS11_CKR_DATA_LEN_RANGE;
+				break;
+			}
+			res = TEE_AsymmetricEncrypt(proc->tee_op_handle,
+						    tee_attrs, tee_attrs_count,
+						    in_buf, in_size,
+						    out_buf, &out_size);
+			output_data = true;
+			rc = tee2pkcs_error(res);
+			if (rc == PKCS11_CKR_ARGUMENTS_BAD)
+				rc = PKCS11_CKR_DATA_LEN_RANGE;
+			break;
+		case PKCS11_FUNCTION_DECRYPT:
+			/*
+			 * Input message size shall be at most the key size
+			 * As decrypting with raw RSA can be unsafe, it
+			 * remains the responsibility of the encryption
+			 * instance to have prolerly padded its message.
+			 */
+			if (in_size > sz) {
+				rc = PKCS11_CKR_ENCRYPTED_DATA_LEN_RANGE;
+				break;
+			}
+
+			res = TEE_AsymmetricDecrypt(proc->tee_op_handle,
+						    tee_attrs, tee_attrs_count,
+						    in_buf, in_size,
+						    out_buf, &out_size);
+			output_data = true;
+			rc = tee2pkcs_error(res);
+			if (rc == PKCS11_CKR_ARGUMENTS_BAD)
+				rc = PKCS11_CKR_ENCRYPTED_DATA_LEN_RANGE;
+			break;
 		case PKCS11_FUNCTION_SIGN:
 			/*
 			 * GP TEE API only allows Decrypt, not Verify operation,
diff --git a/ta/pkcs11/src/token_capabilities.c b/ta/pkcs11/src/token_capabilities.c
index 95523df5aea..64c89e3ca98 100644
--- a/ta/pkcs11/src/token_capabilities.c
+++ b/ta/pkcs11/src/token_capabilities.c
@@ -277,7 +277,7 @@ const struct pkcs11_mechachism_modes token_mechanism[] = {
 	TA_MECHANISM(PKCS11_CKM_RSA_PKCS_KEY_PAIR_GEN,
 		     PKCS11_CKFM_GENERATE_KEY_PAIR),
 	TA_MECHANISM(PKCS11_CKM_RSA_PKCS, CKFM_CIPHER | CKFM_AUTH_NO_RECOVER),
-	TA_MECHANISM(PKCS11_CKM_RSA_X_509, CKFM_AUTH_NO_RECOVER),
+	TA_MECHANISM(PKCS11_CKM_RSA_X_509, CKFM_CIPHER | CKFM_AUTH_NO_RECOVER),
 	TA_MECHANISM(PKCS11_CKM_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER),
 	TA_MECHANISM(PKCS11_CKM_MD5_RSA_PKCS, CKFM_AUTH_NO_RECOVER),
 	TA_MECHANISM(PKCS11_CKM_SHA1_RSA_PKCS, CKFM_AUTH_NO_RECOVER),