diff --git a/server/service/asset.go b/server/service/asset.go
index f9bca57a9..e651b8c47 100644
--- a/server/service/asset.go
+++ b/server/service/asset.go
@@ -267,6 +267,10 @@ func (s assetService) UpdateById(id string, m maps.Map) error {
 		}
 		if len(item.Passphrase) == 0 {
 			item.Passphrase = existingAsset.Passphrase
+		} else {
+			if err := s.Encrypt(&item, config.GlobalCfg.EncryptionPassword); err != nil {
+				return err
+			}
 		}
 	case "password":
 		item.PrivateKey = "-"
@@ -278,6 +282,22 @@ func (s assetService) UpdateById(id string, m maps.Map) error {
 		if len(item.Password) == 0 {
 			item.Password = existingAsset.Password
 			item.Encrypted = existingAsset.Encrypted
+		} else {
+			existingDecrypted := existingAsset
+			if err := s.Decrypt(&existingDecrypted, config.GlobalCfg.EncryptionPassword); err == nil {
+				if item.Password == existingDecrypted.Password {
+					item.Password = existingAsset.Password
+					item.Encrypted = existingAsset.Encrypted
+				} else if !item.Encrypted {
+					if err := s.Encrypt(&item, config.GlobalCfg.EncryptionPassword); err != nil {
+						return err
+					}
+				}
+			} else if !item.Encrypted {
+				if err := s.Encrypt(&item, config.GlobalCfg.EncryptionPassword); err != nil {
+					return err
+				}
+			}
 		}
 	}
 
@@ -293,12 +313,6 @@ func (s assetService) UpdateById(id string, m maps.Map) error {
 		item.AccessGatewayId = "-"
 	}
 
-	if item.Password != "" && item.Password != "-" && !item.Encrypted {
-		if err := s.Encrypt(&item, config.GlobalCfg.EncryptionPassword); err != nil {
-			return err
-		}
-	}
-
 	return s.Transaction(context.Background(), func(ctx context.Context) error {
 		if err := repository.AssetRepository.UpdateById(ctx, &item, id); err != nil {
 			return err