diff --git a/src/utils/MegolmExportEncryption.js b/src/utils/MegolmExportEncryption.js
index e3ca7e68f2..983ec2c75f 100644
--- a/src/utils/MegolmExportEncryption.js
+++ b/src/utils/MegolmExportEncryption.js
@@ -106,6 +106,12 @@ export function encryptMegolmKeyFile(data, password, options) {
 
     const salt = new Uint8Array(16);
     window.crypto.getRandomValues(salt);
+
+    // clear bit 63 of the salt to stop us hitting the 64-bit counter boundary
+    // (which would mean we wouldn't be able to decrypt on Android). The loss
+    // of a single bit of salt is a price we have to pay.
+    salt[9] &= 0x7f;
+
     const iv = new Uint8Array(16);
     window.crypto.getRandomValues(iv);