diff --git a/sys/opencrypto/crypto.c b/sys/opencrypto/crypto.c
index 889e8555e4ce..d1df283f21a6 100644
--- a/sys/opencrypto/crypto.c
+++ b/sys/opencrypto/crypto.c
@@ -161,10 +161,10 @@ int	crypto_userasymcrypto = 1;	/* userland may do asym crypto reqs */
 SYSCTL_INT(_kern, OID_AUTO, userasymcrypto, CTLFLAG_RW,
 	   &crypto_userasymcrypto, 0,
 	   "Enable/disable user-mode access to asymmetric crypto support");
-int	crypto_devallowsoft = 0;	/* only use hardware crypto for asym */
+int	crypto_devallowsoft = 0;	/* only use hardware crypto */
 SYSCTL_INT(_kern, OID_AUTO, cryptodevallowsoft, CTLFLAG_RW,
 	   &crypto_devallowsoft, 0,
-	   "Enable/disable use of software asym crypto support");
+	   "Enable/disable use of software crypto by /dev/crypto");
 
 MALLOC_DEFINE(M_CRYPTO_DATA, "crypto", "crypto session records");
 
diff --git a/sys/opencrypto/cryptodev.c b/sys/opencrypto/cryptodev.c
index 5e949cac12b9..4d16833cf0f1 100644
--- a/sys/opencrypto/cryptodev.c
+++ b/sys/opencrypto/cryptodev.c
@@ -351,11 +351,14 @@ cryptof_truncate(
 static int
 checkforsoftware(int crid)
 {
-	if (crid & CRYPTOCAP_F_SOFTWARE)
-		return EINVAL;		/* XXX */
-	if ((crid & CRYPTOCAP_F_HARDWARE) == 0 &&
-	    (crypto_getcaps(crid) & CRYPTOCAP_F_HARDWARE) == 0)
-		return EINVAL;		/* XXX */
+
+	if (!crypto_devallowsoft) {
+		if (crid & CRYPTOCAP_F_SOFTWARE)
+			return EINVAL;		/* XXX */
+		if ((crid & CRYPTOCAP_F_HARDWARE) == 0 &&
+		    (crypto_getcaps(crid) & CRYPTOCAP_F_HARDWARE) == 0)
+			return EINVAL;		/* XXX */
+	}
 	return 0;
 }