diff --git a/config-templates/config.php b/config-templates/config.php
index d553a502b3d9891e3cea1c7d84687aee1ac0ad4a..11e22bcaf7d0c701d48096d8e26f34476abc18bc 100644
--- a/config-templates/config.php
+++ b/config-templates/config.php
@@ -28,6 +28,8 @@ $config = array (
 	 * If you enable this option, simpleSAMLphp will log all sent and received messages
 	 * to the log file.
 	 *
+	 * This option also enables logging of the messages that are encrypted and decrypted.
+	 *
 	 * Note: The messages are logged with the DEBUG log level, so you also need to set
 	 * the 'logging.level' option to LOG_DEBUG.
 	 */
diff --git a/lib/SAML2/EncryptedAssertion.php b/lib/SAML2/EncryptedAssertion.php
index 07bf4432cd49507047599cf83d94dd3c2c0c9f8d..5084ebb6d40552090ba75eea7a116f64d92c6a8a 100644
--- a/lib/SAML2/EncryptedAssertion.php
+++ b/lib/SAML2/EncryptedAssertion.php
@@ -46,6 +46,9 @@ class SAML2_EncryptedAssertion {
 
 		$xml = $assertion->toXML();
 
+		$xmlStr = $xml->ownerDocument->saveXML($xml);
+		SimpleSAML_Utilities::debugMessage($xmlStr, 'encrypt');
+
 		$enc = new XMLSecEnc();
 		$enc->setNode($xml);
 		$enc->type = XMLSecEnc::Element;
@@ -84,6 +87,10 @@ class SAML2_EncryptedAssertion {
 	public function getAssertion(XMLSecurityKey $inputKey) {
 
 		$assertionXML = SAML2_Utils::decryptElement($this->encryptedData, $inputKey);
+
+		$xmlStr = $assertionXML->ownerDocument->saveXML($assertionXML);
+		SimpleSAML_Utilities::debugMessage($xmlStr, 'decrypt');
+
 		return new SAML2_Assertion($assertionXML);
 	}
 
diff --git a/lib/SimpleSAML/Utilities.php b/lib/SimpleSAML/Utilities.php
index 02057ee2548b8f7a171c52f64f5a47ce589705e5..95b165c185c77ac27581ca0c771131baca78d00c 100644
--- a/lib/SimpleSAML/Utilities.php
+++ b/lib/SimpleSAML/Utilities.php
@@ -1911,11 +1911,10 @@ class SimpleSAML_Utilities {
 	 * Helper function to log messages that we send or receive.
 	 *
 	 * @param string $message  The message, as an XML string.
-	 * @param string $type  Whether this message is sent or received.
+	 * @param string $type  Whether this message is sent or received, encrypted or decrypted.
 	 */
 	public static function debugMessage($message, $type) {
 		assert('is_string($message)');
-		assert('$type === "out" || $type === "in"');
 
 		$globalConfig = SimpleSAML_Configuration::getInstance();
 		if (!$globalConfig->getBoolean('debug', FALSE)) {
@@ -1923,10 +1922,21 @@ class SimpleSAML_Utilities {
 			return;
 		}
 
-		if ($type === 'in') {
+		switch ($type) {
+		case 'in':
 			SimpleSAML_Logger::debug('Received message:');
-		} else {
+			break;
+		case 'out':
 			SimpleSAML_Logger::debug('Sending message:');
+			break;
+		case 'decrypt':
+			SimpleSAML_Logger::debug('Decrypted message:');
+			break;
+		case 'encrypt':
+			SimpleSAML_Logger::debug('Encrypted message:');
+			break;
+		default:
+			assert(FALSE);
 		}
 
 		$str = self::formatXMLString($message);