diff --git a/internal/image/fixtures/oci1.encrypted.json b/internal/image/fixtures/oci1.encrypted.json
new file mode 100644
index 0000000000..c6c523e70b
--- /dev/null
+++ b/internal/image/fixtures/oci1.encrypted.json
@@ -0,0 +1,43 @@
+{
+   "schemaVersion": 2,
+   "mediaType": "application/vnd.oci.image.manifest.v1+json",
+   "config": {
+      "mediaType": "application/vnd.oci.image.config.v1+json",
+      "size": 5940,
+      "digest": "sha256:9ca4bda0a6b3727a6ffcc43e981cad0f24e2ec79d338f6ba325b4dfd0756fb8f",
+      "annotations": {
+         "test-annotation-1": "one"
+      }
+   },
+   "layers": [
+      {
+         "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip+encrypted",
+         "size": 51354364,
+         "digest": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      {
+         "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip+encrypted",
+         "size": 150,
+         "digest": "sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
+      },
+      {
+         "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip+encrypted",
+         "size": 11739507,
+         "digest": "sha256:cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc",
+         "urls": ["https://layer.url"]
+      },
+      {
+         "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip+encrypted",
+         "size": 8841833,
+         "digest": "sha256:dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd",
+         "annotations": {
+            "test-annotation-2": "two"
+         }
+      },
+      {
+         "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip+encrypted",
+         "size": 291,
+         "digest": "sha256:eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee"
+      }
+   ]
+}
diff --git a/internal/image/oci.go b/internal/image/oci.go
index c6c0fb362f..6b41210d19 100644
--- a/internal/image/oci.go
+++ b/internal/image/oci.go
@@ -12,6 +12,7 @@ import (
 	"github.com/containers/image/v5/manifest"
 	"github.com/containers/image/v5/pkg/blobinfocache/none"
 	"github.com/containers/image/v5/types"
+	ociencspec "github.com/containers/ocicrypt/spec"
 	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 )
@@ -227,6 +228,10 @@ func (m *manifestOCI1) convertToManifestSchema2(_ context.Context, _ *types.Mani
 			layers[idx].MediaType = manifest.DockerV2Schema2LayerMediaType
 		case imgspecv1.MediaTypeImageLayerZstd:
 			return nil, fmt.Errorf("Error during manifest conversion: %q: zstd compression is not supported for docker images", layers[idx].MediaType)
+			// FIXME: s/Zsdt/Zstd/ after ocicrypt with https://github.com/containers/ocicrypt/pull/91 is released
+		case ociencspec.MediaTypeLayerEnc, ociencspec.MediaTypeLayerGzipEnc, ociencspec.MediaTypeLayerZstdEnc,
+			ociencspec.MediaTypeLayerNonDistributableEnc, ociencspec.MediaTypeLayerNonDistributableGzipEnc, ociencspec.MediaTypeLayerNonDistributableZsdtEnc:
+			return nil, fmt.Errorf("during manifest conversion: encrypted layers (%q) are not supported in docker images", layers[idx].MediaType)
 		default:
 			return nil, fmt.Errorf("Unknown media type during manifest conversion: %q", layers[idx].MediaType)
 		}
diff --git a/internal/image/oci_test.go b/internal/image/oci_test.go
index 7c3bffeae5..f4ad1bf15a 100644
--- a/internal/image/oci_test.go
+++ b/internal/image/oci_test.go
@@ -538,6 +538,16 @@ func TestManifestOCI1ConvertToManifestSchema1(t *testing.T) {
 	var expected manifest.NonImageArtifactError
 	assert.ErrorAs(t, err, &expected)
 
+	// Conversion of an encrypted image fails
+	encrypted := manifestOCI1FromFixture(t, originalSrc, "oci1.encrypted.json")
+	_, err = encrypted.UpdatedImage(context.Background(), types.ManifestUpdateOptions{
+		ManifestMIMEType: manifest.DockerV2Schema1SignedMediaType,
+		InformationOnly: types.ManifestUpdateInformation{
+			Destination: memoryDest,
+		},
+	})
+	assert.Error(t, err)
+
 	// Conversion to schema1 with encryption fails
 	_, err = original.UpdatedImage(context.Background(), types.ManifestUpdateOptions{
 		LayerInfos:       layerInfosWithCryptoOperation(original.LayerInfos(), types.Encrypt),
@@ -576,6 +586,13 @@ func TestConvertToManifestSchema2(t *testing.T) {
 	var expected manifest.NonImageArtifactError
 	assert.ErrorAs(t, err, &expected)
 
+	// Conversion of an encrypted image fails
+	encrypted := manifestOCI1FromFixture(t, originalSrc, "oci1.encrypted.json")
+	_, err = encrypted.UpdatedImage(context.Background(), types.ManifestUpdateOptions{
+		ManifestMIMEType: manifest.DockerV2Schema2MediaType,
+	})
+	assert.Error(t, err)
+
 	// Conversion to schema2 with encryption fails
 	_, err = original.UpdatedImage(context.Background(), types.ManifestUpdateOptions{
 		LayerInfos:       layerInfosWithCryptoOperation(original.LayerInfos(), types.Encrypt),