diff --git a/features/FEATURE_BLE/ble/BLETypes.h b/features/FEATURE_BLE/ble/BLETypes.h
index 4c5732dc05..856f3ca84d 100644
--- a/features/FEATURE_BLE/ble/BLETypes.h
+++ b/features/FEATURE_BLE/ble/BLETypes.h
@@ -227,7 +227,7 @@ public:
         for (int i = 5, m = 100000; i >= 0; --i, m /= 10) {
             uint32_t result = passkey / m;
             ascii[i] = NUMBER_OFFSET + result;
-            passkey -= result;
+            passkey -= result * m;
         }
     }
 
diff --git a/features/FEATURE_BLE/ble/SecurityManager.h b/features/FEATURE_BLE/ble/SecurityManager.h
index dc2d3ec14f..7c94c15dac 100644
--- a/features/FEATURE_BLE/ble/SecurityManager.h
+++ b/features/FEATURE_BLE/ble/SecurityManager.h
@@ -673,19 +673,6 @@ public:
         return BLE_ERROR_NOT_IMPLEMENTED; /* Requesting action from porters: override this API if security is supported. */
     }
 
-    /**
-     * Return the size of the encryption key used on this link.
-     *
-     * @param[in] connectionHandle Handle to identify the connection.
-     * @param[out] byteSize Size of the encryption key in bytes.
-     * @return BLE_ERROR_NONE or appropriate error code indicating the failure reason.
-     */
-    virtual ble_error_t getEncryptionKeySize(ble::connection_handle_t connectionHandle, uint8_t *byteSize) {
-        (void) connectionHandle;
-        (void) byteSize;
-        return BLE_ERROR_NOT_IMPLEMENTED; /* Requesting action from porters: override this API if security is supported. */
-    }
-
     /**
      * Set the requirements for encryption key size. If the peer cannot comply with the requirements
      * paring will fail.
diff --git a/features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp b/features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp
index 92f7d9598b..94163d8e83 100644
--- a/features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp
+++ b/features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp
@@ -375,25 +375,21 @@ ble_error_t GenericSecurityManager::setLinkEncryption(
         return BLE_ERROR_OPERATION_NOT_PERMITTED;
     }
 
-    /* ignore if the link is already at required state*/
     if (current_encryption == encryption) {
-        eventHandler->linkEncryptionResult(connection, current_encryption);
-        return BLE_ERROR_NONE;
-    }
 
-    if (encryption == link_encryption_t::NOT_ENCRYPTED) {
+        /* ignore if the link is already at required state*/
 
-        return BLE_ERROR_INVALID_STATE;
+    } else if (encryption == link_encryption_t::NOT_ENCRYPTED) {
+
+        /* ignore if we are requesting an open link on an already encrypted link */
 
     } else if (encryption == link_encryption_t::ENCRYPTED) {
 
-        /* if already better than encrypted don't bother */
-        if (current_encryption == link_encryption_t::ENCRYPTED_WITH_MITM) {
-            eventHandler->linkEncryptionResult(connection, current_encryption);
-            return BLE_ERROR_NONE;
+        /* only change if we're not already encrypted with mitm */
+        if (current_encryption != link_encryption_t::ENCRYPTED_WITH_MITM) {
+            cb->encryption_requested = true;
+            return enable_encryption(connection);
         }
-        cb->encryption_requested = true;
-        return enable_encryption(connection);
 
     } else if (encryption == link_encryption_t::ENCRYPTED_WITH_MITM) {
 
@@ -409,6 +405,8 @@ ble_error_t GenericSecurityManager::setLinkEncryption(
         return BLE_ERROR_INVALID_PARAM;
     }
 
+    eventHandler->linkEncryptionResult(connection, current_encryption);
+
     return BLE_ERROR_NONE;
 }