diff --git a/src/ptserver/pts.c b/src/ptserver/pts.c
index 7b90a92..1a329c1 100644
--- a/src/ptserver/pts.c
+++ b/src/ptserver/pts.c
@@ -176,6 +176,10 @@ GetGlobals(struct cmd_syndesc *as, void *arock)
 	changed = 1;
 	sec = 1;
     }
+    if (as->parms[22].items) { /* -encrypt */
+	changed = 1;
+	sec = 3;
+    }
     if (as->parms[18].items || as->parms[20].items) {	/* -test, -localauth */
 	changed = 1;
 	confdir = AFSDIR_SERVER_ETC_DIRPATH;
@@ -1022,6 +1026,8 @@ add_std_args(register struct cmd_syndesc *ts)
 		"use local authentication");
     cmd_AddParm(ts, "-auth", CMD_FLAG, CMD_OPTIONAL,
 		"use user's authentication (default)");
+    cmd_AddParm(ts, "-encrypt", CMD_FLAG, CMD_OPTIONAL,
+		"encrypt commands");
 }
 
 /*
diff --git a/src/ptserver/ptuser.c b/src/ptserver/ptuser.c
index fcd9d69..a5f7d16 100644
--- a/src/ptserver/ptuser.c
+++ b/src/ptserver/ptuser.c
@@ -203,6 +203,8 @@ pr_Initialize(IN afs_int32 secLevel, IN char *confDir, IN char *cell)
 	code = ktc_GetToken(&sname, &ttoken, sizeof(ttoken), NULL);
 	if (code) {
 	    afs_com_err(whoami, code, "(getting token)");
+	    if (secLevel > 1)
+		return code;
 	    scIndex = 0;
 	} else {
 	    if (ttoken.kvno >= 0 && ttoken.kvno <= 256)
@@ -215,7 +217,8 @@ pr_Initialize(IN afs_int32 secLevel, IN char *confDir, IN char *cell)
 		scIndex = 2;
 	    }
 	    sc[2] =
-		rxkad_NewClientSecurityObject(rxkad_clear, &ttoken.sessionKey,
+		rxkad_NewClientSecurityObject((secLevel > 1) ? rxkad_crypt :
+					      rxkad_clear, &ttoken.sessionKey,
 					      ttoken.kvno, ttoken.ticketLen,
 					      ttoken.ticket);
 	}