diff --git a/init/builtins.cpp b/init/builtins.cpp
index 38b44b7d8..b227d40b7 100644
--- a/init/builtins.cpp
+++ b/init/builtins.cpp
@@ -861,8 +861,12 @@ static int do_restorecon_recursive(const std::vector<std::string>& args) {
     int ret = 0;
 
     for (auto it = std::next(args.begin()); it != args.end(); ++it) {
-        if (restorecon_recursive(it->c_str()) < 0)
+        /* The contents of CE paths are encrypted on FBE devices until user
+         * credentials are presented (filenames inside are mangled), so we need
+         * to delay restorecon of those until vold explicitly requests it. */
+        if (restorecon_recursive_skipce(it->c_str()) < 0) {
             ret = -errno;
+        }
     }
     return ret;
 }
diff --git a/init/util.cpp b/init/util.cpp
index 6c1923f8b..80b232522 100644
--- a/init/util.cpp
+++ b/init/util.cpp
@@ -362,6 +362,12 @@ int restorecon_recursive(const char* pathname)
     return selinux_android_restorecon(pathname, SELINUX_ANDROID_RESTORECON_RECURSE);
 }
 
+int restorecon_recursive_skipce(const char* pathname)
+{
+    return selinux_android_restorecon(pathname,
+            SELINUX_ANDROID_RESTORECON_RECURSE | SELINUX_ANDROID_RESTORECON_SKIPCE);
+}
+
 /*
  * Writes hex_len hex characters (1/2 byte) to hex from bytes.
  */
diff --git a/init/util.h b/init/util.h
index 9d522cc8e..651e609c3 100644
--- a/init/util.h
+++ b/init/util.h
@@ -59,6 +59,7 @@ void import_kernel_cmdline(bool in_qemu,
 int make_dir(const char *path, mode_t mode);
 int restorecon(const char *pathname);
 int restorecon_recursive(const char *pathname);
+int restorecon_recursive_skipce(const char *pathname);
 std::string bytes_to_hex(const uint8_t *bytes, size_t bytes_len);
 bool is_dir(const char* pathname);
 bool expand_props(const std::string& src, std::string* dst);