diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java
index 1164d3ff6..8e99e59b1 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java
@@ -731,6 +731,7 @@ public abstract class OperationResult implements Parcelable {
         MSG_PSE_ERROR_PGP (LogLevel.ERROR, R.string.msg_pse_error_pgp),
         MSG_PSE_ERROR_SIG (LogLevel.ERROR, R.string.msg_pse_error_sig),
         MSG_PSE_ERROR_UNLOCK (LogLevel.ERROR, R.string.msg_pse_error_unlock),
+        MSG_PSE_ERROR_KEY_NOT_ALLOWED(LogLevel.ERROR, R.string.msg_pse_error_key_not_allowed),
         MSG_PSE_ERROR_REVOKED_OR_EXPIRED (LogLevel.ERROR, R.string.msg_pse_error_revoked_or_expired),
         MSG_PSE_KEY_OK (LogLevel.OK, R.string.msg_pse_key_ok),
         MSG_PSE_KEY_UNKNOWN (LogLevel.DEBUG, R.string.msg_pse_key_unknown),
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/PgpSignEncryptResult.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/PgpSignEncryptResult.java
index 2b9f149ed..b1767770e 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/PgpSignEncryptResult.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/PgpSignEncryptResult.java
@@ -25,6 +25,8 @@ import org.sufficientlysecure.keychain.service.input.RequiredInputParcel;
 
 public class PgpSignEncryptResult extends InputPendingResult {
 
+    public static final int RESULT_KEY_DISALLOWED = RESULT_ERROR + 32;
+
     byte[] mOutputBytes;
 
     byte[] mDetachedSignature;
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpSignEncryptInputParcel.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpSignEncryptInputParcel.java
index 8e0c7ab40..f5f998d25 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpSignEncryptInputParcel.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpSignEncryptInputParcel.java
@@ -22,6 +22,8 @@ import android.net.Uri;
 import android.os.Parcel;
 import android.os.Parcelable;
 
+import java.util.HashSet;
+
 
 public class PgpSignEncryptInputParcel implements Parcelable {
 
@@ -31,6 +33,8 @@ public class PgpSignEncryptInputParcel implements Parcelable {
     private Uri mOutputUri;
     private byte[] mInputBytes;
 
+    private HashSet<Long> mAllowedKeyIds;
+
     public PgpSignEncryptInputParcel(PgpSignEncryptData data) {
         this.data = data;
     }
@@ -41,6 +45,8 @@ public class PgpSignEncryptInputParcel implements Parcelable {
         mInputBytes = source.createByteArray();
 
         data = source.readParcelable(getClass().getClassLoader());
+
+        mAllowedKeyIds  = (HashSet<Long>) source.readSerializable();
     }
 
     @Override
@@ -55,6 +61,8 @@ public class PgpSignEncryptInputParcel implements Parcelable {
         dest.writeByteArray(mInputBytes);
 
         data.writeToParcel(dest, 0);
+
+        dest.writeSerializable(mAllowedKeyIds);
     }
 
     public void setInputBytes(byte[] inputBytes) {
@@ -91,6 +99,14 @@ public class PgpSignEncryptInputParcel implements Parcelable {
         return data;
     }
 
+    HashSet<Long> getAllowedKeyIds() {
+        return mAllowedKeyIds;
+    }
+
+    public void setAllowedKeyIds(HashSet<Long> allowedKeyIds) {
+        mAllowedKeyIds = allowedKeyIds;
+    }
+
     public static final Creator<PgpSignEncryptInputParcel> CREATOR = new Creator<PgpSignEncryptInputParcel>() {
         public PgpSignEncryptInputParcel createFromParcel(final Parcel source) {
             return new PgpSignEncryptInputParcel(source);
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpSignEncryptOperation.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpSignEncryptOperation.java
index 7a1d99927..39a9bab18 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpSignEncryptOperation.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpSignEncryptOperation.java
@@ -21,7 +21,6 @@ package org.sufficientlysecure.keychain.pgp;
 
 import android.content.Context;
 import android.net.Uri;
-import android.os.Parcelable;
 import android.support.annotation.NonNull;
 
 import org.bouncycastle.bcpg.ArmoredOutputStream;
@@ -40,8 +39,6 @@ import org.bouncycastle.openpgp.operator.jcajce.PGPUtil;
 import org.sufficientlysecure.keychain.Constants;
 import org.sufficientlysecure.keychain.R;
 import org.sufficientlysecure.keychain.operations.BaseOperation;
-import org.sufficientlysecure.keychain.operations.results.DecryptVerifyResult;
-import org.sufficientlysecure.keychain.operations.results.OperationResult;
 import org.sufficientlysecure.keychain.operations.results.OperationResult.LogType;
 import org.sufficientlysecure.keychain.operations.results.OperationResult.OperationLog;
 import org.sufficientlysecure.keychain.operations.results.PgpSignEncryptResult;
@@ -229,6 +226,14 @@ public class PgpSignEncryptOperation extends BaseOperation<PgpSignEncryptInputPa
                         mProviderHelper.getCanonicalizedSecretKeyRing(signingMasterKeyId);
                 signingKey = signingKeyRing.getSecretKey(data.getSignatureSubKeyId());
 
+                if (input.getAllowedKeyIds() != null) {
+                    if (!input.getAllowedKeyIds().contains(signingMasterKeyId)) {
+                        // this key is in our db, but NOT allowed!
+                        log.add(LogType.MSG_PSE_ERROR_KEY_NOT_ALLOWED, indent + 1);
+                        return new PgpSignEncryptResult(PgpSignEncryptResult.RESULT_KEY_DISALLOWED, log);
+                    }
+                }
+
 
                 // Make sure key is not expired or revoked
                 if (signingKeyRing.isExpired() || signingKeyRing.isRevoked()
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/OpenPgpService.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/OpenPgpService.java
index 1491158ce..cb7cb1c06 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/OpenPgpService.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/OpenPgpService.java
@@ -19,15 +19,6 @@
 package org.sufficientlysecure.keychain.remote;
 
 
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.Date;
-import java.util.HashSet;
-import java.util.List;
-
 import android.app.PendingIntent;
 import android.app.Service;
 import android.content.Intent;
@@ -75,6 +66,15 @@ import org.sufficientlysecure.keychain.util.InputData;
 import org.sufficientlysecure.keychain.util.Log;
 import org.sufficientlysecure.keychain.util.Passphrase;
 
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.List;
+
 public class OpenPgpService extends Service {
     public static final int API_VERSION_WITH_RESULT_METADATA = 4;
     public static final int API_VERSION_WITH_KEY_REVOKED_EXPIRED = 5;
@@ -109,6 +109,8 @@ public class OpenPgpService extends Service {
         try {
             boolean asciiArmor = cleartextSign || data.getBooleanExtra(OpenPgpApi.EXTRA_REQUEST_ASCII_ARMOR, true);
 
+            int targetApiVersion = data.getIntExtra(OpenPgpApi.EXTRA_API_VERSION, -1);
+
             // sign-only
             PgpSignEncryptData pgpData = new PgpSignEncryptData();
             pgpData.setEnableAsciiArmorOutput(asciiArmor)
@@ -143,6 +145,7 @@ public class OpenPgpService extends Service {
 
 
             PgpSignEncryptInputParcel pseInput = new PgpSignEncryptInputParcel(pgpData);
+            pseInput.setAllowedKeyIds(getAllowedKeyIds(targetApiVersion));
 
             // Get Input- and OutputStream from ParcelFileDescriptor
             if (!cleartextSign) {
@@ -204,6 +207,7 @@ public class OpenPgpService extends Service {
                                       OutputStream outputStream, boolean sign) {
         try {
             boolean asciiArmor = data.getBooleanExtra(OpenPgpApi.EXTRA_REQUEST_ASCII_ARMOR, true);
+            int targetApiVersion = data.getIntExtra(OpenPgpApi.EXTRA_API_VERSION, -1);
             String originalFilename = data.getStringExtra(OpenPgpApi.EXTRA_ORIGINAL_FILENAME);
             if (originalFilename == null) {
                 originalFilename = "";
@@ -278,6 +282,7 @@ public class OpenPgpService extends Service {
             }
 
             PgpSignEncryptInputParcel pseInput = new PgpSignEncryptInputParcel(pgpData);
+            pseInput.setAllowedKeyIds(getAllowedKeyIds(targetApiVersion));
 
             CryptoInputParcel inputParcel = CryptoInputParcelCacheService.getCryptoInputParcel(this, data);
             if (inputParcel == null) {
@@ -330,15 +335,7 @@ public class OpenPgpService extends Service {
                 outputStream = null;
             }
 
-            String currentPkg = mApiPermissionHelper.getCurrentCallingPackage();
-            HashSet<Long> allowedKeyIds = mApiDao.getAllowedKeyIdsForApp(
-                    KeychainContract.ApiAllowedKeys.buildBaseUri(currentPkg));
-
             int targetApiVersion = data.getIntExtra(OpenPgpApi.EXTRA_API_VERSION, -1);
-            if (targetApiVersion <= API_VERSION_HIGHEST_WITH_ACCOUNTS) {
-                allowedKeyIds.addAll(mApiDao.getAllKeyIdsForApp(
-                        ApiAccounts.buildBaseUri(currentPkg)));
-            }
 
             CryptoInputParcel cryptoInput = CryptoInputParcelCacheService.getCryptoInputParcel(this, data);
             if (cryptoInput == null) {
@@ -368,7 +365,7 @@ public class OpenPgpService extends Service {
             // no support for symmetric encryption
             PgpDecryptVerifyInputParcel input = new PgpDecryptVerifyInputParcel()
                     .setAllowSymmetricDecryption(false)
-                    .setAllowedKeyIds(allowedKeyIds)
+                    .setAllowedKeyIds(getAllowedKeyIds(targetApiVersion))
                     .setDecryptMetadataOnly(decryptMetadataOnly)
                     .setDetachedSignature(detachedSignature)
                     .setSenderAddress(senderAddress);
@@ -694,6 +691,19 @@ public class OpenPgpService extends Service {
         }
     }
 
+    private HashSet<Long> getAllowedKeyIds(int targetApiVersion) {
+        String currentPkg = mApiPermissionHelper.getCurrentCallingPackage();
+        HashSet<Long> allowedKeyIds = mApiDao.getAllowedKeyIdsForApp(
+                KeychainContract.ApiAllowedKeys.buildBaseUri(currentPkg));
+
+        if (targetApiVersion <= API_VERSION_HIGHEST_WITH_ACCOUNTS) {
+            allowedKeyIds.addAll(mApiDao.getAllKeyIdsForApp(
+                    ApiAccounts.buildBaseUri(currentPkg)));
+        }
+
+        return allowedKeyIds;
+    }
+
     /**
      * Check requirements:
      * - params != null
diff --git a/OpenKeychain/src/main/res/values/strings.xml b/OpenKeychain/src/main/res/values/strings.xml
index 94a87d2e6..09ff43c75 100644
--- a/OpenKeychain/src/main/res/values/strings.xml
+++ b/OpenKeychain/src/main/res/values/strings.xml
@@ -1297,6 +1297,7 @@
     <string name="msg_pse_error_pgp">"Internal OpenPGP error!"</string>
     <string name="msg_pse_error_sig">"Encountered OpenPGP signature exception!"</string>
     <string name="msg_pse_error_unlock">"Unknown error unlocking key!"</string>
+    <string name="msg_pse_error_key_not_allowed">"Key selected for encryption is not allowed"</string>
     <string name="msg_pse_error_revoked_or_expired">"Revoked/Expired key cannot be used for sign or encryption"</string>
     <string name="msg_pse_key_ok">"Encrypting for key: %s"</string>
     <string name="msg_pse_key_unknown">"Missing key for encryption: %s"</string>