diff --git a/node/Packet.hpp b/node/Packet.hpp
index 7219a3310..d40e5eb43 100644
--- a/node/Packet.hpp
+++ b/node/Packet.hpp
@@ -1249,6 +1249,14 @@ public:
 		return (((unsigned int)(*this)[ZT_PACKET_IDX_FLAGS] & 0x38) >> 3);
 	}
 
+	/**
+	 * @return Whether this packet is currently encrypted
+	 */
+	inline bool isEncrypted() const
+	{
+		return (cipher() == ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_SALSA2012) || (cipher() == ZT_PROTO_CIPHER_SUITE__AES_GMAC_SIV);
+	}
+
 	/**
 	 * Set this packet's cipher suite
 	 */
diff --git a/node/Switch.cpp b/node/Switch.cpp
index 2721cf92f..ae870a278 100644
--- a/node/Switch.cpp
+++ b/node/Switch.cpp
@@ -1045,7 +1045,9 @@ void Switch::_sendViaSpecificPath(void *tPtr,SharedPtr<Peer> peer,SharedPtr<Path
 	if (trustedPathId) {
 		packet.setTrusted(trustedPathId);
 	} else {
-		packet.armor(peer->key(),encrypt,peer->aesKeysIfSupported());
+		if (!packet.isEncrypted()) {
+			packet.armor(peer->key(),encrypt,peer->aesKeysIfSupported());
+		}
 		RR->node->expectReplyTo(packet.packetId());
 	}