diff --git a/p2p/security/tls/crypto.go b/p2p/security/tls/crypto.go
index 385de5a167..70a594d060 100644
--- a/p2p/security/tls/crypto.go
+++ b/p2p/security/tls/crypto.go
@@ -11,6 +11,7 @@ import (
 	"encoding/asn1"
 	"errors"
 	"fmt"
+	"io"
 	"math/big"
 	"os"
 	"runtime/debug"
@@ -41,6 +42,7 @@ type Identity struct {
 // IdentityConfig is used to configure an Identity
 type IdentityConfig struct {
 	CertTemplate *x509.Certificate
+	KeyLogWriter io.Writer
 }
 
 // IdentityOption transforms an IdentityConfig to apply optional settings.
@@ -53,6 +55,18 @@ func WithCertTemplate(template *x509.Certificate) IdentityOption {
 	}
 }
 
+// WithKeyLogWriter optionally specifies a destination for TLS master secrets
+// in NSS key log format that can be used to allow external programs
+// such as Wireshark to decrypt TLS connections.
+// See https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format.
+// Use of KeyLogWriter compromises security and should only be
+// used for debugging.
+func WithKeyLogWriter(w io.Writer) IdentityOption {
+	return func(c *IdentityConfig) {
+		c.KeyLogWriter = w
+	}
+}
+
 // NewIdentity creates a new identity
 func NewIdentity(privKey ic.PrivKey, opts ...IdentityOption) (*Identity, error) {
 	config := IdentityConfig{}
@@ -83,6 +97,7 @@ func NewIdentity(privKey ic.PrivKey, opts ...IdentityOption) (*Identity, error)
 			},
 			NextProtos:             []string{alpn},
 			SessionTicketsDisabled: true,
+			KeyLogWriter:           config.KeyLogWriter,
 		},
 	}, nil
 }