diff --git a/cereal/car.capnp b/cereal/car.capnp
index 6af474c0ee..34f2ac37e3 100644
--- a/cereal/car.capnp
+++ b/cereal/car.capnp
@@ -87,6 +87,7 @@ struct OnroadEvent @0x9b1657f34caf3ad3 {
     startup @75;
     startupNoCar @76;
     startupNoControl @77;
+    startupNoSecOcKey @125;
     startupMaster @78;
     fcw @79;
     steerSaturated @80;
@@ -515,6 +516,9 @@ struct CarParams {
 
   wheelSpeedFactor @63 :Float32; # Multiplier on wheels speeds to computer actual speeds
 
+  secOcRequired @75 :Bool;  # Car requires SecOC message authentication to operate
+  secOcKeyAvailable @76 :Bool;  # Stored SecOC key loaded from params
+
   struct SafetyConfig {
     safetyModel @0 :SafetyModel;
     safetyParam @3 :UInt16;
diff --git a/common/params.cc b/common/params.cc
index c75a09e28b..9e62ed582c 100644
--- a/common/params.cc
+++ b/common/params.cc
@@ -182,6 +182,7 @@ std::unordered_map<std::string, uint32_t> keys = {
     {"PrimeType", PERSISTENT},
     {"RecordFront", PERSISTENT},
     {"RecordFrontLock", PERSISTENT},  // for the internal fleet
+    {"SecOCKey", PERSISTENT | DONT_LOG},
     {"RouteCount", PERSISTENT},
     {"SnoozeUpdate", CLEAR_ON_MANAGER_START | CLEAR_ON_OFFROAD_TRANSITION},
     {"SshEnabled", PERSISTENT},
diff --git a/opendbc_repo b/opendbc_repo
index 7b63ff21e9..bed4c18a95 160000
--- a/opendbc_repo
+++ b/opendbc_repo
@@ -1 +1 @@
-Subproject commit 7b63ff21e9652242255b408840d0ebc5a7d0e768
+Subproject commit bed4c18a959475251e48c28fadfa6bc207f20ec6
diff --git a/selfdrive/car/card.py b/selfdrive/car/card.py
index 8829c2e91f..7f57edf866 100755
--- a/selfdrive/car/card.py
+++ b/selfdrive/car/card.py
@@ -127,6 +127,18 @@ class Car:
       safety_config.safetyModel = structs.CarParams.SafetyModel.noOutput
       self.CP.safetyConfigs = [safety_config]
 
+    if self.CP.secOcRequired and not self.params.get_bool("IsReleaseBranch"):
+      secoc_key = self.params.get("SecOCKey", encoding='utf8')
+      if secoc_key is not None:
+        saved_secoc_key = bytes.fromhex(secoc_key.strip())
+        if len(saved_secoc_key) == 16:
+          self.CP.secOcKeyAvailable = True
+          self.CI.CS.secoc_key = saved_secoc_key
+          if controller_available:
+            self.CI.CC.secoc_key = saved_secoc_key
+        else:
+          cloudlog.warning("Saved SecOC key is invalid")
+
     # Write previous route's CarParams
     prev_cp = self.params.get("CarParamsPersistent")
     if prev_cp is not None:
diff --git a/selfdrive/selfdrived/events.py b/selfdrive/selfdrived/events.py
index 9ed1b454f0..29b1933701 100755
--- a/selfdrive/selfdrived/events.py
+++ b/selfdrive/selfdrived/events.py
@@ -382,6 +382,12 @@ EVENTS: dict[int, dict[str, Alert | AlertCallbackType]] = {
     ET.PERMANENT: StartupAlert("Dashcam mode for unsupported car"),
   },
 
+  EventName.startupNoSecOcKey: {
+    ET.PERMANENT: NormalPermanentAlert("Dashcam Mode",
+                                       "Security Key Not Available",
+                                       priority=Priority.HIGH),
+  },
+
   EventName.dashcamMode: {
     ET.PERMANENT: NormalPermanentAlert("Dashcam Mode",
                                        priority=Priority.LOWEST),
diff --git a/selfdrive/selfdrived/selfdrived.py b/selfdrive/selfdrived/selfdrived.py
index 18ac61dec8..9e6ac90219 100755
--- a/selfdrive/selfdrived/selfdrived.py
+++ b/selfdrive/selfdrived/selfdrived.py
@@ -118,6 +118,8 @@ class SelfdriveD:
       self.startup_event = EventName.startupNoCar
     elif car_recognized and self.CP.passive:
       self.startup_event = EventName.startupNoControl
+    elif self.CP.secOcRequired and not self.CP.secOcKeyAvailable:
+      self.startup_event = EventName.startupNoSecOcKey
 
     if not sounds_available:
       self.events.add(EventName.soundsUnavailable, static=True)