diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8af2ac0b2..8e17607bc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -74,6 +74,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - GATT Client: Use ATT_READ_REQUEST for first blob of Read Long Characteristic and Read Long Characteristic Descriptor
 - GATT Server: Allow ATT Read Callback to return custom ATT Error Code
 - HID: Move `src/classic/hid.h` into `src` and prefix with `btstack_` to use it with BLE and avoid name clashes
+- SM: start pairing as Central for already encrypted connection on Slave Security Request 
 
 ## Release v1.3.2
 
diff --git a/src/ble/sm.c b/src/ble/sm.c
index 7290664db..a869edcd7 100644
--- a/src/ble/sm.c
+++ b/src/ble/sm.c
@@ -3864,9 +3864,9 @@ static void sm_pdu_handler(uint8_t packet_type, hci_con_handle_t con_handle, uin
                 case IRK_LOOKUP_SUCCEEDED:
                     le_device_db_encryption_get(sm_conn->sm_le_db_index, NULL, NULL, ltk, NULL, NULL, NULL, NULL);
                     have_ltk = !sm_is_null_key(ltk);
-                    log_info("central: security request - have_ltk %u", have_ltk);
-                    if (have_ltk){
-                        // start re-encrypt
+                    log_info("central: security request - have_ltk %u, encryption %u", have_ltk, sm_conn->sm_connection_encrypted);
+                    if (have_ltk && (sm_conn->sm_connection_encrypted == 0)){
+                        // start re-encrypt if we have LTK and the connection is not already encrypted
                         sm_conn->sm_engine_state = SM_INITIATOR_PH4_HAS_LTK;
                     } else {
                         // start pairing