diff --git a/doc/gpg.texi b/doc/gpg.texi
index 3f8f6b9f4..ffcdaf21e 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -1724,7 +1724,8 @@ Set what trust model GnuPG should follow. The models are:
   @opindex trust-model:auto
   Select the trust model depending on whatever the internal trust
   database says. This is the default model if such a database already
-  exists.
+  exists.  Note that a tofu trust model is not considered here and
+  must be enabled explicitly.
 @end table
 
 @item --auto-key-locate @var{mechanisms}
diff --git a/g10/tdbio.c b/g10/tdbio.c
index fed0cf5ab..8f7530621 100644
--- a/g10/tdbio.c
+++ b/g10/tdbio.c
@@ -562,6 +562,12 @@ tdbio_update_version_record (ctrl_t ctrl)
 {
   TRUSTREC rec;
   int rc;
+  int opt_tm;
+
+  /* Never store a TOFU trust model in the trustdb.  Use PGP instead.  */
+  opt_tm = opt.trust_model;
+  if (opt_tm == TM_TOFU || opt_tm == TM_TOFU_PGP)
+    opt_tm = TM_PGP;
 
   memset (&rec, 0, sizeof rec);
 
@@ -572,7 +578,7 @@ tdbio_update_version_record (ctrl_t ctrl)
       rec.r.ver.marginals   = opt.marginals_needed;
       rec.r.ver.completes   = opt.completes_needed;
       rec.r.ver.cert_depth  = opt.max_cert_depth;
-      rec.r.ver.trust_model = opt.trust_model;
+      rec.r.ver.trust_model = opt_tm;
       rec.r.ver.min_cert_level = opt.min_cert_level;
       rc = tdbio_write_record (ctrl, &rec);
     }
@@ -591,6 +597,12 @@ create_version_record (ctrl_t ctrl)
 {
   TRUSTREC rec;
   int rc;
+  int opt_tm;
+
+  /* Never store a TOFU trust model in the trustdb.  Use PGP instead.  */
+  opt_tm = opt.trust_model;
+  if (opt_tm == TM_TOFU || opt_tm == TM_TOFU_PGP)
+    opt_tm = TM_PGP;
 
   memset (&rec, 0, sizeof rec);
   rec.r.ver.version     = 3;
@@ -598,8 +610,8 @@ create_version_record (ctrl_t ctrl)
   rec.r.ver.marginals   = opt.marginals_needed;
   rec.r.ver.completes   = opt.completes_needed;
   rec.r.ver.cert_depth  = opt.max_cert_depth;
-  if (opt.trust_model == TM_PGP || opt.trust_model == TM_CLASSIC)
-    rec.r.ver.trust_model = opt.trust_model;
+  if (opt_tm == TM_PGP || opt_tm == TM_CLASSIC)
+    rec.r.ver.trust_model = opt_tm;
   else
     rec.r.ver.trust_model = TM_PGP;
   rec.r.ver.min_cert_level = opt.min_cert_level;
@@ -883,16 +895,25 @@ tdbio_db_matches_options()
     {
       TRUSTREC vr;
       int rc;
+      int opt_tm, tm;
 
       rc = tdbio_read_record (0, &vr, RECTYPE_VER);
       if( rc )
 	log_fatal( _("%s: error reading version record: %s\n"),
 		   db_name, gpg_strerror (rc) );
 
+      /* Consider tofu and pgp the same.  */
+      tm = vr.r.ver.trust_model;
+      if (tm == TM_TOFU || tm == TM_TOFU_PGP)
+        tm = TM_PGP;
+      opt_tm  = opt.trust_model;
+      if (opt_tm == TM_TOFU || opt_tm == TM_TOFU_PGP)
+        opt_tm = TM_PGP;
+
       yes_no = vr.r.ver.marginals == opt.marginals_needed
 	&& vr.r.ver.completes == opt.completes_needed
 	&& vr.r.ver.cert_depth == opt.max_cert_depth
-	&& vr.r.ver.trust_model == opt.trust_model
+	&& tm == opt_tm
 	&& vr.r.ver.min_cert_level == opt.min_cert_level;
     }