diff --git a/openpgp/packet/config.go b/openpgp/packet/config.go
index fb21e6d1b..8bf8e6e51 100644
--- a/openpgp/packet/config.go
+++ b/openpgp/packet/config.go
@@ -139,6 +139,11 @@ type Config struct {
 	// might be no other way than to tolerate the missing MDC. Setting this flag, allows this
 	// mode of operation. It should be considered a measure of last resort.
 	InsecureAllowUnauthenticatedMessages bool
+	// InsecureAllowDecryptionWithSigningKeys allows decryption with keys marked as signing keys in the v2 API.
+	// This setting is potentially insecure, but it is needed as some libraries
+	// ignored key flags when selecting a key for encryption.
+	// Not relevant for the v1 API, as all keys were allowed in decryption.
+	InsecureAllowDecryptionWithSigningKeys bool
 	// KnownNotations is a map of Notation Data names to bools, which controls
 	// the notation names that are allowed to be present in critical Notation Data
 	// signature subpackets.
@@ -291,6 +296,13 @@ func (c *Config) AllowUnauthenticatedMessages() bool {
 	return c.InsecureAllowUnauthenticatedMessages
 }
 
+func (c *Config) AllowDecryptionWithSigningKeys() bool {
+	if c == nil {
+		return false
+	}
+	return c.InsecureAllowDecryptionWithSigningKeys
+}
+
 func (c *Config) KnownNotation(notationName string) bool {
 	if c == nil {
 		return false
diff --git a/openpgp/v2/keys.go b/openpgp/v2/keys.go
index 9a5226d5f..93082dd48 100644
--- a/openpgp/v2/keys.go
+++ b/openpgp/v2/keys.go
@@ -164,12 +164,12 @@ func (e *Entity) DecryptionKeys(id uint64, date time.Time, config *packet.Config
 	for _, subkey := range e.Subkeys {
 		subkeySelfSig, err := subkey.LatestValidBindingSignature(date, config)
 		if err == nil &&
-			isValidEncryptionKey(subkeySelfSig, subkey.PublicKey.PubKeyAlgo) &&
+			(config.AllowDecryptionWithSigningKeys() || isValidEncryptionKey(subkeySelfSig, subkey.PublicKey.PubKeyAlgo)) &&
 			(id == 0 || subkey.PublicKey.KeyId == id) {
 			keys = append(keys, Key{subkey.Primary, primarySelfSignature, subkey.PublicKey, subkey.PrivateKey, subkeySelfSig})
 		}
 	}
-	if isValidEncryptionKey(primarySelfSignature, e.PrimaryKey.PubKeyAlgo) {
+	if config.AllowDecryptionWithSigningKeys() || isValidEncryptionKey(primarySelfSignature, e.PrimaryKey.PubKeyAlgo) {
 		keys = append(keys, Key{e, primarySelfSignature, e.PrimaryKey, e.PrivateKey, primarySelfSignature})
 	}
 	return