diff --git a/core/src/apps/base.py b/core/src/apps/base.py
index 7d7828d7e..666873682 100644
--- a/core/src/apps/base.py
+++ b/core/src/apps/base.py
@@ -44,7 +44,6 @@ def get_features() -> Features:
         label=storage.device.get_label(),
         pin_protection=config.has_pin(),
         unlocked=config.is_unlocked(),
-        passphrase_protection=storage.device.is_passphrase_enabled(),
     )
 
     if utils.BITCOIN_ONLY:
@@ -79,7 +78,8 @@ def get_features() -> Features:
 
     # private fields:
     if config.is_unlocked():
-
+        # passphrase_protection is private, see #1807
+        f.passphrase_protection = storage.device.is_passphrase_enabled()
         f.needs_backup = storage.device.needs_backup()
         f.unfinished_backup = storage.device.unfinished_backup()
         f.no_backup = storage.device.no_backup()
diff --git a/tests/device_tests/test_msg_applysettings.py b/tests/device_tests/test_msg_applysettings.py
index f9a53f60f..1246caca1 100644
--- a/tests/device_tests/test_msg_applysettings.py
+++ b/tests/device_tests/test_msg_applysettings.py
@@ -71,8 +71,6 @@ class TestMsgApplysettings:
 
     @pytest.mark.setup_client(pin=PIN4, passphrase=False)
     def test_apply_settings_passphrase(self, client):
-        assert client.features.passphrase_protection is False
-
         with client:
             _set_expected_responses(client)
             device.apply_settings(client, use_passphrase=True)
diff --git a/tests/device_tests/test_protection_levels.py b/tests/device_tests/test_protection_levels.py
index ac2f3de5e..b9085123d 100644
--- a/tests/device_tests/test_protection_levels.py
+++ b/tests/device_tests/test_protection_levels.py
@@ -61,6 +61,32 @@ def test_initialize(client):
         client.init_device()
 
 
+@pytest.mark.skip_t1
+@pytest.mark.setup_client(pin=PIN4)
+@pytest.mark.parametrize("passphrase", (True, False))
+def test_passphrase_reporting(client, passphrase):
+    """On TT, passphrase_protection is a private setting, so a locked device should
+    report passphrase_protection=None.
+    """
+    with client:
+        client.use_pin_sequence([PIN4])
+        device.apply_settings(client, use_passphrase=passphrase)
+
+    client.lock()
+
+    # on a locked device, passphrase_protection should be None
+    assert client.features.unlocked is False
+    assert client.features.passphrase_protection is None
+
+    # on an unlocked device, protection should be reported accurately
+    _assert_protection(client, pin=True, passphrase=passphrase)
+
+    # after re-locking, the setting should be hidden again
+    client.lock()
+    assert client.features.unlocked is False
+    assert client.features.passphrase_protection is None
+
+
 def test_apply_settings(client):
     _assert_protection(client)
     with client:
diff --git a/tests/ui_tests/fixtures.json b/tests/ui_tests/fixtures.json
index 7902048e9..07bfe7d17 100644
--- a/tests/ui_tests/fixtures.json
+++ b/tests/ui_tests/fixtures.json
@@ -794,6 +794,8 @@
 "test_protection_levels.py::test_get_public_key": "f0ac110de788b3112e04dc2ef131fca011a8dea1c309df37adeb23066729e273",
 "test_protection_levels.py::test_initialize": "59e518cba8589979f0af46e2acb211d37c96312f1d1a63a899d138ebb2f3ca29",
 "test_protection_levels.py::test_passphrase_cached": "7fe34cc300a6f3547eaf72ab4339b758469f1e2722244d2a14d06e55ab1a3716",
+"test_protection_levels.py::test_passphrase_reporting[False]": "233f8978b159ec8fb4092599d63f001c8059222ca14a9e84d185560d3c32ce24",
+"test_protection_levels.py::test_passphrase_reporting[True]": "d9e9bdb39d15d6737ed6234f16c36bb7ad95ca54067ff8f10cffccaa3caa96cb",
 "test_protection_levels.py::test_ping": "5551c263e8e09c8ae683f4dec3dd9d7ecc05ebbd3f2556604b27479c8f1fbc82",
 "test_protection_levels.py::test_sign_message_t2": "bdcc7268caf112c3ba1708d9387fcca8384b330ba5a1e500df87e5fa3b0a4320",
 "test_protection_levels.py::test_signtx": "f13f1687e062bd407dc781ae93ebb6619eee5ea3d37ee031ffdc98d5bd7aea33",