diff --git a/pc/jsep_transport_controller.cc b/pc/jsep_transport_controller.cc
index 4a66f83798..c5dda0bd20 100644
--- a/pc/jsep_transport_controller.cc
+++ b/pc/jsep_transport_controller.cc
@@ -1102,6 +1102,16 @@ RTCError JsepTransportController::MaybeCreateJsepTransport(
     return RTCError(RTCErrorType::INVALID_PARAMETER,
                     "Manual keys and DTLS-SRTP cannot be enabled at the same time.");
   }
+  if (content_desc->manually_specify_keys() &&
+      !content_desc->crypto().has_value()) {
+    return RTCError(RTCErrorType::INVALID_PARAMETER,
+                    "Manual keys required but not specified.");
+  }
+  if (!content_desc->manually_specify_keys() &&
+      content_desc->crypto().has_value()) {
+    return RTCError(RTCErrorType::INVALID_PARAMETER,
+                    "Manual keys specified in DTLS-SRTP mode.");
+  }
 
   rtc::scoped_refptr<IceTransportInterface> ice =
       CreateIceTransport(content_info.name, /*rtcp=*/false);
diff --git a/pc/media_session.cc b/pc/media_session.cc
index 15908c6d45..be7f556a2c 100644
--- a/pc/media_session.cc
+++ b/pc/media_session.cc
@@ -1140,7 +1140,7 @@ bool IsMediaProtocolSupported(MediaType type,
 // RingRTC: Allow out-of-band / "manual" key negotiation.
 void SetMediaProtocol(bool secure_transport, bool manually_specify_keys,
                       MediaContentDescription* desc) {
-  if (desc->crypto().has_value() || manually_specify_keys)
+  if (manually_specify_keys)
     desc->set_protocol(kMediaProtocolSavpf);
   else if (secure_transport)
     desc->set_protocol(kMediaProtocolDtlsSavpf);
@@ -2058,6 +2058,10 @@ RTCError MediaSessionDescriptionFactory::AddRtpContentForOffer(
   } else {
     content_description = std::make_unique<VideoContentDescription>();
   }
+  // RingRTC: Allow out-of-band / "manual" key negotiation.
+  if (manually_specify_keys()) {
+    content_description->set_manually_specify_keys(true);
+  }
 
   auto error = CreateMediaContentOffer(
       media_description_options, session_options,
@@ -2226,6 +2230,10 @@ RTCError MediaSessionDescriptionFactory::AddRtpContentForAnswer(
   } else {
     answer_content = std::make_unique<VideoContentDescription>();
   }
+  // RingRTC: Allow out-of-band / "manual" key negotiation.
+  if (manually_specify_keys()) {
+    answer_content->set_manually_specify_keys(true);
+  }
   if (!SetCodecsInAnswer(
           offer_content_description, filtered_codecs, media_description_options,
           session_options, ssrc_generator(), current_streams,
diff --git a/pc/sdp_offer_answer.cc b/pc/sdp_offer_answer.cc
index 00a39644ca..6ebc59c0f0 100644
--- a/pc/sdp_offer_answer.cc
+++ b/pc/sdp_offer_answer.cc
@@ -3557,11 +3557,7 @@ RTCError SdpOfferAnswerHandler::ValidateSessionDescription(
 
   // Verify crypto settings.
   std::string crypto_error;
-  // RingRTC: Allow out-of-band / "manual" key negotiation.
-  // Do not verify if "ManuallySpecifyKeys" is set; `VerifyCrypto` only makes
-  // sense for DTLS.
-  if (!webrtc_session_desc_factory_->ManuallySpecifyKeys() &&
-      pc_->dtls_enabled()) {
+  if (pc_->dtls_enabled()) {
     RTCError crypto_error = VerifyCrypto(
         sdesc->description(), pc_->dtls_enabled(), bundle_groups_by_mid);
     if (!crypto_error.ok()) {
diff --git a/pc/session_description.h b/pc/session_description.h
index 40c6ab14b5..e67713a9d8 100644
--- a/pc/session_description.h
+++ b/pc/session_description.h
@@ -128,6 +128,8 @@ class MediaContentDescription {
   void set_crypto(const absl::optional<CryptoParams>& crypto) {
     crypto_ = crypto;
   }
+  void set_manually_specify_keys(bool b) { manually_specify_keys_ = b;}
+  bool manually_specify_keys() const { return manually_specify_keys_; }
 
   // List of RTP header extensions. URIs are **NOT** guaranteed to be unique
   // as they can appear twice when both encrypted and non-encrypted extensions
@@ -270,6 +272,7 @@ class MediaContentDescription {
 
   // RingRTC: Allow out-of-band / "manual" key negotiation.
   absl::optional<CryptoParams> crypto_;
+  bool manually_specify_keys_ = false;
   std::vector<webrtc::RtpExtension> rtp_header_extensions_;
   bool rtp_header_extensions_set_ = false;
   StreamParamsVec send_streams_;
diff --git a/ringrtc/rffi/src/peer_connection.cc b/ringrtc/rffi/src/peer_connection.cc
index 2f50647fc6..9006fdc018 100644
--- a/ringrtc/rffi/src/peer_connection.cc
+++ b/ringrtc/rffi/src/peer_connection.cc
@@ -352,6 +352,7 @@ Rust_sessionDescriptionFromV4(bool offer,
 
   auto set_rtp_params = [] (cricket::MediaContentDescription* media) {
     media->set_protocol(cricket::kMediaProtocolSavpf);
+    media->set_manually_specify_keys(true);
     media->set_rtcp_mux(true);
     media->set_direction(webrtc::RtpTransceiverDirection::kSendRecv);
   };
@@ -547,6 +548,7 @@ CreateSessionDescriptionForGroupCall(bool local,
     media->set_protocol(cricket::kMediaProtocolSavpf);
     media->set_rtcp_mux(true);
 
+    media->set_manually_specify_keys(true);
     media->set_crypto(crypto_params);
   };