Examples disclosed herein relate to use of MACsec to encrypt tunnel data packets. In an example, a MACsec capable device may receive a data packet from a host device for tunneling to a controller. MACsec capable device may encapsulate the data packet with an encapsulation header to generate an encapsulated data packet. The encapsulation header may comprise a destination MAC address reserved for the controller. MACsec capable device may direct the encapsulated data packet to a MACsec engine. MACsec engine may encrypt the encapsulated data packet with the encryption key to generate an encrypted data packet. MACsec capable device may encapsulate the encrypted data packet with a first GRE header. MACsec capable device may send the encrypted data packet with the first GRE header to the controller via a GRE tunnel.