diff --git a/internal/rbd/controllerserver.go b/internal/rbd/controllerserver.go
index d2af31294..dc328ee03 100644
--- a/internal/rbd/controllerserver.go
+++ b/internal/rbd/controllerserver.go
@@ -266,6 +266,11 @@ func (cs *ControllerServer) CreateVolume(ctx context.Context, req *csi.CreateVol
 			if err != nil {
 				return nil, err
 			}
+
+			err = rbdSnap.repairEncryptionConfig(&rbdVol.rbdImage)
+			if err != nil {
+				return nil, err
+			}
 		}
 
 		return buildCreateVolumeResponse(req, rbdVol), nil
diff --git a/internal/rbd/encryption.go b/internal/rbd/encryption.go
index 259ae43d2..1284ea212 100644
--- a/internal/rbd/encryption.go
+++ b/internal/rbd/encryption.go
@@ -150,6 +150,27 @@ func (ri *rbdImage) copyEncryptionConfig(cp *rbdImage) error {
 	return nil
 }
 
+// repairEncryptionConfig checks the encryption state of the current rbdImage,
+// and makes sure that the destination rbdImage has the same configuration.
+func (ri *rbdImage) repairEncryptionConfig(dest *rbdImage) error {
+	if !ri.isEncrypted() {
+		return nil
+	}
+
+	// if ri is encrypted, copy its configuration in case it is missing
+	if !dest.isEncrypted() {
+		// dest needs to be connected to the cluster, otherwise it will
+		// not be possible to write any metadata
+		if dest.conn == nil {
+			dest.conn = ri.conn.Copy()
+		}
+
+		return ri.copyEncryptionConfig(dest)
+	}
+
+	return nil
+}
+
 func (ri *rbdImage) encryptDevice(ctx context.Context, devicePath string) error {
 	passphrase, err := ri.encryption.GetCryptoPassphrase(ri.VolID)
 	if err != nil {