diff --git a/configs/patch-config.example.yml b/configs/patch-config.example.yml
index 5de28595..03fa576e 100644
--- a/configs/patch-config.example.yml
+++ b/configs/patch-config.example.yml
@@ -88,6 +88,9 @@ network:
       tekKeyId: 1
 
     # Flag indicating whether or not the patch is two-way.
+    #  NOTE: If false (one-way patch from source to destination), and patching clear to
+    #    encrypted traffic, only the destination TEK will be used for encryption. The clear
+    #    traffic must appear on the source side only.
     twoWay: false
 
     # Hostname/IP address of MMDVM gateway to connect to.
diff --git a/src/patch/HostPatch.cpp b/src/patch/HostPatch.cpp
index 00e54f99..218d5a24 100644
--- a/src/patch/HostPatch.cpp
+++ b/src/patch/HostPatch.cpp
@@ -1170,6 +1170,11 @@ void HostPatch::processP25Network(uint8_t* buffer, uint32_t length)
 
                 if (tekEnable && tekAlgoId != ALGO_UNENCRYPT && tekKeyId != 0U) {
                     cryptP25AudioFrame(netLDU, reverseEncrypt, 1U);
+                } else {
+                    if (!m_twoWayPatch && m_tekDstEnable && m_tekDstAlgoId != ALGO_UNENCRYPT && m_tekDstKeyId != 0U) {
+                        // for one-way patches, if the destination TEK is enabled, use it
+                        cryptP25AudioFrame(netLDU, false, 1U);
+                    }
                 }
 
                 control = lc::LC(*dfsiLC.control());
@@ -1208,6 +1213,18 @@ void HostPatch::processP25Network(uint8_t* buffer, uint32_t length)
                         m_p25DstCrypto->getMI(mi);
 
                     control.setMI(mi);
+                } else {
+                    if (!m_twoWayPatch && m_tekDstEnable && m_tekDstAlgoId != ALGO_UNENCRYPT && m_tekDstKeyId != 0U) {
+                        // for one-way patches, if the destination TEK is enabled, use it
+                        control.setAlgId(m_tekDstAlgoId);
+                        control.setKId(m_tekDstKeyId);
+
+                        uint8_t mi[MI_LENGTH_BYTES];
+                        ::memset(mi, 0x00U, MI_LENGTH_BYTES);
+                        m_p25DstCrypto->getMI(mi);
+
+                        control.setMI(mi);
+                    }
                 }
 
                 if (m_mmdvmP25Reflector) {
@@ -1270,6 +1287,11 @@ void HostPatch::processP25Network(uint8_t* buffer, uint32_t length)
 
                 if (tekEnable && tekAlgoId != ALGO_UNENCRYPT && tekKeyId != 0U) {
                     cryptP25AudioFrame(netLDU, reverseEncrypt, 2U);
+                } else {
+                    if (!m_twoWayPatch && m_tekDstEnable && m_tekDstAlgoId != ALGO_UNENCRYPT && m_tekDstKeyId != 0U) {
+                        // for one-way patches, if the destination TEK is enabled, use it
+                        cryptP25AudioFrame(netLDU, false, 2U);
+                    }
                 }
 
                 control = lc::LC(*dfsiLC.control());
@@ -1290,6 +1312,18 @@ void HostPatch::processP25Network(uint8_t* buffer, uint32_t length)
                         m_p25DstCrypto->getMI(mi);
 
                     control.setMI(mi);
+                } else {
+                    if (!m_twoWayPatch && m_tekDstEnable && m_tekDstAlgoId != ALGO_UNENCRYPT && m_tekDstKeyId != 0U) {
+                        // for one-way patches, if the destination TEK is enabled, use it
+                        control.setAlgId(m_tekDstAlgoId);
+                        control.setKId(m_tekDstKeyId);
+
+                        uint8_t mi[MI_LENGTH_BYTES];
+                        ::memset(mi, 0x00U, MI_LENGTH_BYTES);
+                        m_p25DstCrypto->getMI(mi);
+
+                        control.setMI(mi);
+                    }
                 }
 
                 if (m_mmdvmP25Reflector) {