diff --git a/Documentation/gettingstarted/encryption-ipsec.rst b/Documentation/gettingstarted/encryption-ipsec.rst
index 39b940ee82978..36625baceac9f 100644
--- a/Documentation/gettingstarted/encryption-ipsec.rst
+++ b/Documentation/gettingstarted/encryption-ipsec.rst
@@ -205,6 +205,7 @@ Troubleshooting
 
        $ cilium encrypt status
        Encryption: IPsec
+       Decryption interface(s): eth0, eth1, eth2
        Keys in use: 1
        Max Seq. Number: 0x1e3/0xffffffff
        Errors: 0
@@ -212,7 +213,9 @@ Troubleshooting
    If the error counter is non-zero, additional information will be displayed
    with the specific errors the kernel encountered. If the sequence number
    reaches its maximum value, it will also result in errors. The number of
-   keys in use should be 2 during a key rotation and always 1 otherwise.
+   keys in use should be 2 during a key rotation and always 1 otherwise. The
+   list of decryption interfaces should have all native devices that may
+   receive pod traffic (for example, ENI interfaces).
 
  * All XFRM errors correspond to a packet drop in the kernel. Except for
    ``XfrmFwdHdrError`` and ``XfrmInError``, all XFRM errors indicate a bug in
diff --git a/cilium/cmd/encrypt_status.go b/cilium/cmd/encrypt_status.go
index 10688eaa80d6c..68eaf1c657306 100644
--- a/cilium/cmd/encrypt_status.go
+++ b/cilium/cmd/encrypt_status.go
@@ -123,6 +123,42 @@ func getEncryptionMode() {
 	}
 }
 
+func isDecryptionInterface(link netlink.Link) (bool, error) {
+	filters, err := netlink.FilterList(link, tcFilterParentIngress)
+	if err != nil {
+		return false, err
+	}
+	for _, f := range filters {
+		if bpfFilter, ok := f.(*netlink.BpfFilter); ok {
+			// We consider the interface a decryption interface if it has the
+			// BPF program we use to mark ESP packets for decryption, that is
+			// the cil_from_network BPF program.
+			if strings.Contains(bpfFilter.Name, "cil_from_network") {
+				return true, nil
+			}
+		}
+	}
+	return false, nil
+}
+
+func getDecryptionInterfaces() []string {
+	decryptionIfaces := []string{}
+	links, err := netlink.LinkList()
+	if err != nil {
+		Fatalf("Failed to list interfaces: %s", err)
+	}
+	for _, link := range links {
+		itIs, err := isDecryptionInterface(link)
+		if err != nil {
+			Fatalf("Failed to list BPF programs for %s: %s", link.Attrs().Name, err)
+		}
+		if itIs {
+			decryptionIfaces = append(decryptionIfaces, link.Attrs().Name)
+		}
+	}
+	return decryptionIfaces
+}
+
 func dumpIPsecStatus() {
 	xfrmStates, err := netlink.XfrmStateList(netlink.FAMILY_ALL)
 	if err != nil {
@@ -130,6 +166,8 @@ func dumpIPsecStatus() {
 	}
 	keys := ipsec.CountUniqueIPsecKeys(xfrmStates)
 	oseq := maxSequenceNumber()
+	interfaces := getDecryptionInterfaces()
+	fmt.Printf("Decryption interface(s): %s\n", strings.Join(interfaces, ", "))
 	fmt.Printf("Keys in use: %-26d\n", keys)
 	fmt.Printf("Max Seq. Number: %s\n", oseq)
 	errCount, errMap := getXfrmStats("")