diff --git a/pkg/apis/kops/networking.go b/pkg/apis/kops/networking.go
index a47e69953e..8261daaeab 100644
--- a/pkg/apis/kops/networking.go
+++ b/pkg/apis/kops/networking.go
@@ -266,6 +266,11 @@ type AmazonVPCNetworkingSpec struct {
 
 const CiliumIpamEni = "eni"
 
+type CiliumEncryptionType string
+
+const CiliumEncryptionTypeIPSec CiliumEncryptionType = "ipsec"
+const CiliumEncryptionTypeWireguard CiliumEncryptionType = "wireguard"
+
 // CiliumNetworkingSpec declares that we want Cilium networking
 type CiliumNetworkingSpec struct {
 	// Version is the version of the Cilium agent and the Cilium Operator.
@@ -345,7 +350,7 @@ type CiliumNetworkingSpec struct {
 	EnableEncryption bool `json:"enableEncryption,omitempty"`
 	// EncryptionType specifies Cilium Encryption method ("ipsec", "wireguard").
 	// Default: ipsec
-	EncryptionType string `json:"encryptionType,omitempty"`
+	EncryptionType CiliumEncryptionType `json:"encryptionType,omitempty"`
 	// EnvoyLog is not implemented and may be removed in the future.
 	// Setting this has no effect.
 	EnvoyLog string `json:"envoyLog,omitempty"`
diff --git a/pkg/apis/kops/v1alpha2/networking.go b/pkg/apis/kops/v1alpha2/networking.go
index ad3fa4dd8b..3a5b23874b 100644
--- a/pkg/apis/kops/v1alpha2/networking.go
+++ b/pkg/apis/kops/v1alpha2/networking.go
@@ -266,6 +266,11 @@ type AmazonVPCNetworkingSpec struct {
 
 const CiliumIpamEni = "eni"
 
+type CiliumEncryptionType string
+
+const CiliumEncryptionTypeIPSec CiliumEncryptionType = "ipsec"
+const CiliumEncryptionTypeWireguard CiliumEncryptionType = "wireguard"
+
 // CiliumNetworkingSpec declares that we want Cilium networking
 type CiliumNetworkingSpec struct {
 	// Version is the version of the Cilium agent and the Cilium Operator.
@@ -345,7 +350,7 @@ type CiliumNetworkingSpec struct {
 	EnableEncryption bool `json:"enableEncryption,omitempty"`
 	// EncryptionType specifies Cilium Encryption method ("ipsec", "wireguard").
 	// Default: ipsec
-	EncryptionType string `json:"encryptionType,omitempty"`
+	EncryptionType CiliumEncryptionType `json:"encryptionType,omitempty"`
 	// EnvoyLog is not implemented and may be removed in the future.
 	// Setting this has no effect.
 	EnvoyLog string `json:"envoyLog,omitempty"`
diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
index b741ed6866..1badd34b62 100644
--- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
@@ -1774,7 +1774,7 @@ func autoConvert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in *
 	out.EnableTracing = in.EnableTracing
 	out.EnablePrometheusMetrics = in.EnablePrometheusMetrics
 	out.EnableEncryption = in.EnableEncryption
-	out.EncryptionType = in.EncryptionType
+	out.EncryptionType = kops.CiliumEncryptionType(in.EncryptionType)
 	out.EnvoyLog = in.EnvoyLog
 	out.IdentityAllocationMode = in.IdentityAllocationMode
 	out.IdentityChangeGracePeriod = in.IdentityChangeGracePeriod
@@ -1882,7 +1882,7 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in *
 	out.EnableTracing = in.EnableTracing
 	out.EnablePrometheusMetrics = in.EnablePrometheusMetrics
 	out.EnableEncryption = in.EnableEncryption
-	out.EncryptionType = in.EncryptionType
+	out.EncryptionType = CiliumEncryptionType(in.EncryptionType)
 	out.EnvoyLog = in.EnvoyLog
 	out.IdentityAllocationMode = in.IdentityAllocationMode
 	out.IdentityChangeGracePeriod = in.IdentityChangeGracePeriod
diff --git a/pkg/apis/kops/validation/validation.go b/pkg/apis/kops/validation/validation.go
index 01c0bdc984..7b7db2f053 100644
--- a/pkg/apis/kops/validation/validation.go
+++ b/pkg/apis/kops/validation/validation.go
@@ -887,7 +887,8 @@ func validateNetworkingCilium(cluster *kops.Cluster, v *kops.CiliumNetworkingSpe
 	}
 
 	if v.EncryptionType != "" {
-		allErrs = append(allErrs, IsValidValue(fldPath.Child("encryptionType"), &v.EncryptionType, []string{"ipsec", "wireguard"})...)
+		encryptionType := string(v.EncryptionType)
+		allErrs = append(allErrs, IsValidValue(fldPath.Child("encryptionType"), &encryptionType, []string{"ipsec", "wireguard"})...)
 
 		version, _ := semver.Parse(v.Version)
 		if v.EncryptionType == "wireguard" && version.Minor < 10 {
diff --git a/pkg/model/components/cilium.go b/pkg/model/components/cilium.go
index 787a24637e..c72dec4e06 100644
--- a/pkg/model/components/cilium.go
+++ b/pkg/model/components/cilium.go
@@ -150,7 +150,7 @@ func (b *CiliumOptionsBuilder) BuildOptions(o interface{}) error {
 	}
 
 	if c.EncryptionType == "" {
-		c.EncryptionType = "ipsec"
+		c.EncryptionType = kops.CiliumEncryptionTypeIPSec
 	}
 
 	hubble := c.Hubble