diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index 9b890fade3025..08ce2561d4a6c 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -1284,6 +1284,13 @@
         android:description="@string/permlab_copyProtectedData"
         android:protectionLevel="signature" />
 
+    <!-- Internal permission protecting access to the encryption methods
+        @hide
+    -->
+    <permission android:name="android.permission.CRYPT_KEEPER"
+        android:protectionLevel="signatureOrSystem" />
+
+
     <!-- C2DM permission. 
          @hide Used internally.
      -->
diff --git a/services/java/com/android/server/MountService.java b/services/java/com/android/server/MountService.java
index d862585b09c50..7440f525c3d42 100644
--- a/services/java/com/android/server/MountService.java
+++ b/services/java/com/android/server/MountService.java
@@ -19,6 +19,7 @@ package com.android.server;
 import com.android.internal.app.IMediaContainerService;
 import com.android.server.am.ActivityManagerService;
 
+import android.Manifest;
 import android.content.BroadcastReceiver;
 import android.content.ComponentName;
 import android.content.Context;
@@ -1635,7 +1636,8 @@ class MountService extends IMountService.Stub implements INativeDaemonConnectorC
             throw new IllegalArgumentException("password cannot be null");
         }
 
-        // TODO: Enforce a permission
+        mContext.enforceCallingOrSelfPermission(Manifest.permission.CRYPT_KEEPER,
+                "no permission to access the crypt keeper");
 
         waitForReady();
 
@@ -1675,12 +1677,13 @@ class MountService extends IMountService.Stub implements INativeDaemonConnectorC
             throw new IllegalArgumentException("password cannot be null");
         }
 
-        // TODO: Enforce a permission
+        mContext.enforceCallingOrSelfPermission(Manifest.permission.CRYPT_KEEPER,
+            "no permission to access the crypt keeper");
 
         waitForReady();
 
         if (DEBUG_EVENTS) {
-            Slog.i(TAG, "decrypting storage...");
+            Slog.i(TAG, "encrypting storage...");
         }
 
         try {