diff --git a/cmd/up.go b/cmd/up.go
index 3939086ba..5c7138f9e 100644
--- a/cmd/up.go
+++ b/cmd/up.go
@@ -28,8 +28,10 @@ var (
 				os.Exit(ExitSetupFailed)
 			}
 
+			var sigTLSEnabled = false
+
 			ctx := context.Background()
-			signalClient, err := sig.NewClient(ctx, config.SignalAddr, myKey)
+			signalClient, err := sig.NewClient(ctx, config.SignalAddr, myKey, sigTLSEnabled)
 			if err != nil {
 				log.Errorf("error while connecting to the Signal Exchange Service %s: %s", config.SignalAddr, err)
 				os.Exit(ExitSetupFailed)
diff --git a/connection/engine_test.go b/connection/engine_test.go
index 07c39da83..d0268d495 100644
--- a/connection/engine_test.go
+++ b/connection/engine_test.go
@@ -39,7 +39,9 @@ func Test_Start(t *testing.T) {
 
 	iFaceBlackList := make(map[string]struct{})
 
-	signalClient, err := sig.NewClient(ctx, "signal.wiretrustee.com:10000", testKey)
+	var sigTLSEnabled = false
+
+	signalClient, err := sig.NewClient(ctx, "signal.wiretrustee.com:10000", testKey, sigTLSEnabled)
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/signal/client.go b/signal/client.go
index bedcaaaf3..40b732386 100644
--- a/signal/client.go
+++ b/signal/client.go
@@ -2,6 +2,7 @@ package signal
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"
@@ -10,6 +11,7 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/keepalive"
 	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"
@@ -38,12 +40,18 @@ func (c *Client) Close() error {
 }
 
 // NewClient creates a new Signal client
-func NewClient(ctx context.Context, addr string, key wgtypes.Key) (*Client, error) {
+func NewClient(ctx context.Context, addr string, key wgtypes.Key, tlsEnabled bool) (*Client, error) {
+
+	transportOption := grpc.WithInsecure()
+
+	if tlsEnabled {
+		transportOption = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))
+	}
 
 	conn, err := grpc.DialContext(
 		ctx,
 		addr,
-		grpc.WithInsecure(),
+		transportOption,
 		grpc.WithBlock(),
 		grpc.WithKeepaliveParams(keepalive.ClientParameters{
 			Time:    3 * time.Second,
diff --git a/signal/signal_test.go b/signal/signal_test.go
index b43bba129..057408db7 100644
--- a/signal/signal_test.go
+++ b/signal/signal_test.go
@@ -144,7 +144,8 @@ var _ = Describe("Client", func() {
 })
 
 func createSignalClient(addr string, key wgtypes.Key) *signal.Client {
-	client, err := signal.NewClient(context.Background(), addr, key)
+	var sigTLSEnabled = false
+	client, err := signal.NewClient(context.Background(), addr, key, sigTLSEnabled)
 	if err != nil {
 		Fail("failed creating signal client")
 	}