diff --git a/include/psa/crypto_builtin_primitives.h b/include/psa/crypto_builtin_primitives.h
index 20451c95e5..260619c9fe 100644
--- a/include/psa/crypto_builtin_primitives.h
+++ b/include/psa/crypto_builtin_primitives.h
@@ -104,7 +104,10 @@ typedef struct {
     psa_algorithm_t MBEDTLS_PRIVATE(alg);
     uint8_t MBEDTLS_PRIVATE(iv_length);
     uint8_t MBEDTLS_PRIVATE(block_length);
-    mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher);
+    union {
+        unsigned int MBEDTLS_PRIVATE(initialised);
+        mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher);
+    } MBEDTLS_PRIVATE(ctx);
 } mbedtls_psa_cipher_operation_t;
 
 #define MBEDTLS_PSA_CIPHER_OPERATION_INIT {0, 0, 0, {0}}
diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c
index b018e2adc4..6c696df516 100644
--- a/library/psa_crypto_cipher.c
+++ b/library/psa_crypto_cipher.c
@@ -162,7 +162,7 @@ static psa_status_t cipher_setup(
 
     /* Proceed with initializing an mbed TLS cipher context if no driver is
      * available for the given algorithm & key. */
-    mbedtls_cipher_init( &operation->cipher );
+    mbedtls_cipher_init( &operation->ctx.cipher );
 
     operation->alg = alg;
     key_bits = attributes->core.bits;
@@ -171,7 +171,7 @@ static psa_status_t cipher_setup(
     if( cipher_info == NULL )
         return( PSA_ERROR_NOT_SUPPORTED );
 
-    ret = mbedtls_cipher_setup( &operation->cipher, cipher_info );
+    ret = mbedtls_cipher_setup( &operation->ctx.cipher, cipher_info );
     if( ret != 0 )
         goto exit;
 
@@ -182,14 +182,14 @@ static psa_status_t cipher_setup(
         uint8_t keys[24];
         memcpy( keys, key_buffer, 16 );
         memcpy( keys + 16, key_buffer, 8 );
-        ret = mbedtls_cipher_setkey( &operation->cipher,
+        ret = mbedtls_cipher_setkey( &operation->ctx.cipher,
                                      keys,
                                      192, cipher_operation );
     }
     else
 #endif
     {
-        ret = mbedtls_cipher_setkey( &operation->cipher, key_buffer,
+        ret = mbedtls_cipher_setkey( &operation->ctx.cipher, key_buffer,
                                      (int) key_bits, cipher_operation );
     }
     if( ret != 0 )
@@ -200,11 +200,11 @@ static psa_status_t cipher_setup(
     switch( alg )
     {
         case PSA_ALG_CBC_NO_PADDING:
-            ret = mbedtls_cipher_set_padding_mode( &operation->cipher,
+            ret = mbedtls_cipher_set_padding_mode( &operation->ctx.cipher,
                                                    MBEDTLS_PADDING_NONE );
             break;
         case PSA_ALG_CBC_PKCS7:
-            ret = mbedtls_cipher_set_padding_mode( &operation->cipher,
+            ret = mbedtls_cipher_set_padding_mode( &operation->ctx.cipher,
                                                    MBEDTLS_PADDING_PKCS7 );
             break;
         default:
@@ -253,7 +253,7 @@ static psa_status_t cipher_set_iv( mbedtls_psa_cipher_operation_t *operation,
         return( PSA_ERROR_INVALID_ARGUMENT );
 
     return( mbedtls_to_psa_error(
-                mbedtls_cipher_set_iv( &operation->cipher,
+                mbedtls_cipher_set_iv( &operation->ctx.cipher,
                                        iv, iv_length ) ) );
 }
 
@@ -362,7 +362,7 @@ static psa_status_t cipher_update( mbedtls_psa_cipher_operation_t *operation,
          * the last partial block, if any. You get the data that will be
          * output in this call. */
         expected_output_size =
-            ( operation->cipher.unprocessed_len + input_length )
+            ( operation->ctx.cipher.unprocessed_len + input_length )
             / operation->block_length * operation->block_length;
     }
     else
@@ -378,7 +378,7 @@ static psa_status_t cipher_update( mbedtls_psa_cipher_operation_t *operation,
         /* mbedtls_cipher_update has an API inconsistency: it will only
         * process a single block at a time in ECB mode. Abstract away that
         * inconsistency here to match the PSA API behaviour. */
-        status = psa_cipher_update_ecb( &operation->cipher,
+        status = psa_cipher_update_ecb( &operation->ctx.cipher,
                                         input,
                                         input_length,
                                         output,
@@ -388,7 +388,7 @@ static psa_status_t cipher_update( mbedtls_psa_cipher_operation_t *operation,
     else
     {
         status = mbedtls_to_psa_error(
-            mbedtls_cipher_update( &operation->cipher, input,
+            mbedtls_cipher_update( &operation->ctx.cipher, input,
                                    input_length, output, output_length ) );
     }
 
@@ -403,7 +403,7 @@ static psa_status_t cipher_finish( mbedtls_psa_cipher_operation_t *operation,
     psa_status_t status = PSA_ERROR_GENERIC_ERROR;
     uint8_t temp_output_buffer[MBEDTLS_MAX_BLOCK_LENGTH];
 
-    if( operation->cipher.unprocessed_len != 0 )
+    if( operation->ctx.cipher.unprocessed_len != 0 )
     {
         if( operation->alg == PSA_ALG_ECB_NO_PADDING ||
             operation->alg == PSA_ALG_CBC_NO_PADDING )
@@ -414,7 +414,7 @@ static psa_status_t cipher_finish( mbedtls_psa_cipher_operation_t *operation,
     }
 
     status = mbedtls_to_psa_error(
-        mbedtls_cipher_finish( &operation->cipher,
+        mbedtls_cipher_finish( &operation->ctx.cipher,
                                temp_output_buffer,
                                output_length ) );
     if( status != PSA_SUCCESS )
@@ -441,7 +441,7 @@ static psa_status_t cipher_abort( mbedtls_psa_cipher_operation_t *operation )
     if( ! PSA_ALG_IS_CIPHER( operation->alg ) )
         return( PSA_ERROR_BAD_STATE );
 
-    mbedtls_cipher_free( &operation->cipher );
+    mbedtls_cipher_free( &operation->ctx.cipher );
 
     return( PSA_SUCCESS );
 }