diff --git a/app-libs/parentchain-interface/src/indirect_calls/shield_funds.rs b/app-libs/parentchain-interface/src/indirect_calls/shield_funds.rs
index 9d013e7518..55eee2d8dd 100644
--- a/app-libs/parentchain-interface/src/indirect_calls/shield_funds.rs
+++ b/app-libs/parentchain-interface/src/indirect_calls/shield_funds.rs
@@ -25,7 +25,7 @@ use itp_stf_primitives::{
 	traits::IndirectExecutor,
 	types::{AccountId, TrustedOperation},
 };
-use itp_types::{parentchain::ParentchainId, Balance, ShardIdentifier};
+use itp_types::{Balance, ShardIdentifier};
 use log::{debug, info};
 use std::vec::Vec;
 
@@ -41,7 +41,7 @@ impl<Executor: IndirectExecutor<TrustedCallSigned, Error>>
 	IndirectDispatch<Executor, TrustedCallSigned> for ShieldFundsArgs
 {
 	fn dispatch(&self, executor: &Executor) -> Result<()> {
-		info!("Found ShieldFunds extrinsic in block: \nAccount Encrypted {:?} \nAmount: {} \nShard: {}",
+		info!("Found EnclaveBridge::ShieldFunds extrinsic in block: \nAccount Encrypted {:?} \nAmount: {} \nShard: {}",
         	self.account_encrypted, self.amount, bs58::encode(self.shard.encode()).into_string());
 
 		debug!("decrypt the account id");
@@ -49,11 +49,10 @@ impl<Executor: IndirectExecutor<TrustedCallSigned, Error>>
 		let account = AccountId::decode(&mut account_vec.as_slice())?;
 
 		let enclave_account_id = executor.get_enclave_account()?;
-		let trusted_call = TrustedCall::balance_shield(
+		let trusted_call = TrustedCall::balance_shield_through_enclave_bridge_pallet(
 			enclave_account_id,
 			account,
 			self.amount,
-			ParentchainId::Integritee,
 		);
 		let signed_trusted_call = executor.sign_call_with_self(&trusted_call, &self.shard)?;
 		let trusted_operation =
diff --git a/app-libs/stf/src/trusted_call.rs b/app-libs/stf/src/trusted_call.rs
index 8c5dc89043..344182c77d 100644
--- a/app-libs/stf/src/trusted_call.rs
+++ b/app-libs/stf/src/trusted_call.rs
@@ -74,6 +74,7 @@ pub enum TrustedCall {
 	balance_unshield(AccountId, AccountId, Balance, ShardIdentifier) = 3, // (AccountIncognito, BeneficiaryPublicAccount, Amount, Shard)
 	balance_shield(AccountId, AccountId, Balance, ParentchainId) = 4, // (Root, AccountIncognito, Amount, origin parentchain)
 	balance_transfer_with_note(AccountId, AccountId, Balance, Vec<u8>) = 5,
+	balance_shield_through_enclave_bridge_pallet(AccountId, AccountId, Balance) = 6, // (Root, AccountIncognito, Amount)
 	note_bloat(AccountId, u32) = 10,
 	waste_time(AccountId, u32) = 11,
 	send_note(AccountId, AccountId, Vec<u8>) = 20,
@@ -136,6 +137,8 @@ impl TrustedCall {
 			Self::balance_unshield(sender_account, ..) => sender_account,
 			Self::balance_shield(sender_account, ..) => sender_account,
 			Self::balance_transfer_with_note(sender_account, ..) => sender_account,
+			Self::balance_shield_through_enclave_bridge_pallet(sender_account, ..) =>
+				sender_account,
 			Self::timestamp_set(sender_account, ..) => sender_account,
 			Self::send_note(sender_account, ..) => sender_account,
 			Self::add_session_proxy(sender_account, ..) => sender_account,
@@ -416,6 +419,26 @@ where
 				store_note(&enclave_account, self.call, vec![who])?;
 				Ok(())
 			},
+			TrustedCall::balance_shield_through_enclave_bridge_pallet(
+				enclave_account,
+				who,
+				value,
+			) => {
+				ensure_enclave_signer_account(&enclave_account)?;
+				debug!(
+					"balance_shield_through_enclave_bridge_pallet({}, {})",
+					account_id_to_string(&who),
+					value,
+				);
+				ensure!(
+					shard_vault().is_none(),
+					StfError::EnclaveBridgeShieldingDisabledIfVaultAssigned
+				);
+				std::println!("⣿STF⣿ 🛡 will shield to {}", account_id_to_string(&who));
+				shield_funds(&who, value)?;
+				store_note(&enclave_account, self.call, vec![who])?;
+				Ok(())
+			},
 			TrustedCall::timestamp_set(enclave_account, now, parentchain_id) => {
 				ensure_enclave_signer_account(&enclave_account)?;
 				debug!("timestamp_set({}, {:?})", now, parentchain_id);
@@ -678,6 +701,7 @@ fn get_fee_for(tc: &TrustedCallSigned) -> Balance {
 		TrustedCall::waste_time(..) => Balance::from(0u32),
 		TrustedCall::timestamp_set(..) => Balance::from(0u32),
 		TrustedCall::balance_shield(..) => Balance::from(0u32), //will be charged on recipient, elsewhere
+		TrustedCall::balance_shield_through_enclave_bridge_pallet(..) => Balance::from(0u32), //will be charged on recipient, elsewhere
 		#[cfg(any(feature = "test", test))]
 		TrustedCall::balance_set_balance(..) => Balance::from(0u32),
 		_ => one / crate::STF_TX_FEE_UNIT_DIVIDER,
diff --git a/cli/demo_shielding_unshielding_multiworker.sh b/cli/demo_shielding_unshielding_multiworker.sh
index 6d9b687b70..ef5a3cd257 100755
--- a/cli/demo_shielding_unshielding_multiworker.sh
+++ b/cli/demo_shielding_unshielding_multiworker.sh
@@ -55,15 +55,14 @@ echo ""
 
 SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
 
-"${SCRIPT_DIR}"/demo_shielding_unshielding.sh -p "${INTEGRITEE_RPC_PORT}" -u "${INTEGRITEE_RPC_URL}" -V "${WORKER_1_URL}" -P "${WORKER_1_PORT}" -C "${CLIENT_BIN}" -t first
-"${SCRIPT_DIR}"/demo_shielding_unshielding.sh -p "${INTEGRITEE_RPC_PORT}" -u "${INTEGRITEE_RPC_URL}" -V "${WORKER_2_URL}" -P "${WORKER_2_PORT}" -C "${CLIENT_BIN}" -t second
-
 if [ "$FLAVOR_ID" = offchain-worker ]; then
+    "${SCRIPT_DIR}"/demo_shielding_unshielding.sh -p "${INTEGRITEE_RPC_PORT}" -u "${INTEGRITEE_RPC_URL}" -V "${WORKER_1_URL}" -P "${WORKER_1_PORT}" -C "${CLIENT_BIN}" -t first
+    "${SCRIPT_DIR}"/demo_shielding_unshielding.sh -p "${INTEGRITEE_RPC_PORT}" -u "${INTEGRITEE_RPC_URL}" -V "${WORKER_2_URL}" -P "${WORKER_2_PORT}" -C "${CLIENT_BIN}" -t second
     echo "offchain-worker does not support shard vault shielding, therefore we skip those tests"
-    exit 0
+else
+    "${SCRIPT_DIR}"/demo_shielding_unshielding_using_shard_vault.sh -p "${INTEGRITEE_RPC_PORT}" -u "${INTEGRITEE_RPC_URL}" -V "${WORKER_1_URL}" -P "${WORKER_1_PORT}" -C "${CLIENT_BIN}" -t first
+    "${SCRIPT_DIR}"/demo_shielding_unshielding_using_shard_vault.sh -p "${INTEGRITEE_RPC_PORT}" -u "${INTEGRITEE_RPC_URL}" -V "${WORKER_2_URL}" -P "${WORKER_2_PORT}" -C "${CLIENT_BIN}" -t second
+    echo "sidechain-worker does not support enclave bridge shielding, therefore we skip those tests"
 fi
 
-"${SCRIPT_DIR}"/demo_shielding_unshielding_using_shard_vault.sh -p "${INTEGRITEE_RPC_PORT}" -u "${INTEGRITEE_RPC_URL}" -V "${WORKER_1_URL}" -P "${WORKER_1_PORT}" -C "${CLIENT_BIN}" -t first
-"${SCRIPT_DIR}"/demo_shielding_unshielding_using_shard_vault.sh -p "${INTEGRITEE_RPC_PORT}" -u "${INTEGRITEE_RPC_URL}" -V "${WORKER_2_URL}" -P "${WORKER_2_PORT}" -C "${CLIENT_BIN}" -t second
-
 exit 0
diff --git a/core-primitives/stf-primitives/src/error.rs b/core-primitives/stf-primitives/src/error.rs
index 01c5872ebe..58f9278aec 100644
--- a/core-primitives/stf-primitives/src/error.rs
+++ b/core-primitives/stf-primitives/src/error.rs
@@ -42,4 +42,5 @@ pub enum StfError {
 	ChangingShardVaultAccountNotAllowed,
 	WrongParentchainIdForShardVault,
 	NoShardVaultAssigned,
+	EnclaveBridgeShieldingDisabledIfVaultAssigned,
 }
diff --git a/service/src/main_impl.rs b/service/src/main_impl.rs
index 1a01e1079d..0c36bae526 100644
--- a/service/src/main_impl.rs
+++ b/service/src/main_impl.rs
@@ -734,15 +734,17 @@ fn start_worker<E, T, D, InitializationHandler, WorkerModeProvider>(
 		None
 	};
 
-	init_provided_shard_vault(
-		shard,
-		&enclave,
-		integritee_rpc_api.clone(),
-		maybe_target_a_rpc_api.clone(),
-		maybe_target_b_rpc_api.clone(),
-		run_config.shielding_target,
-		we_are_primary_validateer,
-	);
+	if WorkerModeProvider::worker_mode() == WorkerMode::Sidechain {
+		init_provided_shard_vault(
+			shard,
+			&enclave,
+			integritee_rpc_api.clone(),
+			maybe_target_a_rpc_api.clone(),
+			maybe_target_b_rpc_api.clone(),
+			run_config.shielding_target,
+			we_are_primary_validateer,
+		);
+	}
 
 	// ------------------------------------------------------------------------
 	// Start prometheus metrics server.