diff --git a/CHANGELOG.md b/CHANGELOG.md
index db82903a..e7f99d06 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+### Developing
+- Added support for message encryption over HTTP when using NTLM and CredSSP
+- Added parameter to disable TLSv1.2 when using CredSSP for Server 2008 support
+
 ### Version 0.2.2
 - Added support for CredSSP authenication (via requests-credssp)
 - Improved README, see 'Valid transport options' section
diff --git a/README.md b/README.md
index 7eb85cea..d4b3bba2 100644
--- a/README.md
+++ b/README.md
@@ -134,21 +134,58 @@ pywinrm supports various transport methods in order to authenticate with the Win
 * `certificate`: Authentication is done through a certificate that is mapped to a local Windows account on the server.
 * `ssl`: When used in conjunction with `cert_pem` and `cert_key_pem` it will use a certificate as above. If not will revert to basic auth over HTTPS.
 * `kerberos`: Will use Kerberos authentication for domain accounts which only works when the client is in the same domain as the server and the required dependencies are installed. Currently a Kerberos ticket needs to be initiliased outside of pywinrm using the kinit command.
-* `ntlm`: Will use NTLM authentication for both domain and local accounts. Currently no support for NTLMv2 auth and other features included in that version (WIP).
+* `ntlm`: Will use NTLM authentication for both domain and local accounts.
 * `credssp`: Will use CredSSP authentication for both domain and local accounts. Allows double hop authentication. This only works over a HTTPS endpoint and not HTTP.
 
-### HTTP or HTTPS endpoint
+### Encryption
 
-While either a HTTP or HTTPS endpoint can be used as the transport method, using HTTPS is prefered as the messages are encrypted using SSL. To use HTTPS either a self signed certificate or one from a CA can be used. You can use this [guide](http://www.joseph-streeter.com/?p=1086) to set up a HTTPS endpoint with a self signed certificate.
+By default WinRM will not accept unencrypted messages from a client and Pywinrm
+currently has 2 ways to do this.
+
+1. Using a HTTPS endpoint instead of HTTP (Recommended)
+2. Use NTLM or CredSSP as the transport auth and setting `message_encryption` to `auto` or `always`
+
+Using a HTTPS endpoint is recommended as it will encrypt all the data sent
+through to the server including the credentials and works with all transport
+auth types. You can use [this script](https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1)
+to easily set up a HTTPS endpoint on WinRM with a self signed certificate but
+in a production environment this should be hardened with your own process.
+
+The second option is to use NTLM or CredSSP and set the `message_encryption`
+arg to protocol to `auto` or `always`. This will use the authentication GSS-API
+Wrap and Unwrap methods if available to encrypt the message contents sent to
+the server. This form of encryption is independent from the transport layer
+like TLS and is currently only supported by the NTLM and CredSSP transport
+auth. Kerberos currently does not have the methods available to achieve this.
+
+To configure message encryption you can use the `message_encryption` argument
+when initialising protocol. This option has 3 values that can be set as shown
+below.
+
+* `auto`: Default, Will only use message encryption if it is available for the auth method and HTTPS isn't used.
+* `never`: Will never use message encryption even when not over HTTPS.
+* `always`: Will always use message encryption even when running over HTTPS.
+
+If you set the value to `always` and the transport opt doesn't support message
+encryption i.e. Basic auth, Pywinrm will throw an exception.
+
+If you do not use a HTTPS endpoint or message encryption then the Windows
+server will automatically reject Pywinrm. You can change the settings on the
+Windows server to allow unencrypted messages and credentials but this highly
+insecure and shouldn't be used unless necessary. To allow unencrypted message
+run the following command either from cmd or powershell
 
-If you still wish to use a HTTP endpoint and loose confidentiality in your messages you will need to enable unencrypted messages in the server by running the following command
 ```
-# from cmd:
+# from cmd
 winrm set winrm/config/service @{AllowUnencrypted="true"}
+
+# or from powershell
+Set-Item -Path "WSMan:\localhost\Service\AllowUnencrypted" -Value $true
 ```
-As a repeat this should definitely not be used as your credentials and messages will allow anybody to see what is sent over the wire.
 
-There are plans in place to allow message encryption for messages sent with Kerberos or NTLM messages in the future.
+As a repeat this should definitely not be used as your credentials and messages
+will allow anybody to see what is sent over the wire.
+
 
 ### Enabling WinRM on remote host
 Enable WinRM over HTTP and HTTPS with self-signed certificate (includes firewall rules):
diff --git a/appveyor.yml b/appveyor.yml
index b5f5bc63..da156e83 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -49,5 +49,10 @@ test_script:
 
       py.test -v --cov-report=term-missing --cov=.
 
+      # Run integration tests with NTLM to check message encryption
+      $env:WINRM_TRANSPORT="ntlm"
+      Set-Item WSMan:\localhost\Service\AllowUnencrypted $false
+      py.test -v winrm/tests/test_integration_protocol.py winrm/tests/test_integration_session.py
+
 after_test:
   - echo after_test
diff --git a/setup.cfg b/setup.cfg
index 536d2dee..84afeed8 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -4,6 +4,6 @@ requires = python-xmltodict
 [bdist_wheel]
 universal = 1
 
-[pytest]
+[tool:pytest]
 norecursedirs = .git .idea env
 pep8ignore = tests/*.py E501
diff --git a/winrm/encryption.py b/winrm/encryption.py
new file mode 100644
index 00000000..73341fd5
--- /dev/null
+++ b/winrm/encryption.py
@@ -0,0 +1,208 @@
+import requests
+import re
+import struct
+
+from winrm.exceptions import WinRMError
+
+class Encryption(object):
+
+    SIXTEN_KB = 16384
+    MIME_BOUNDARY = b'--Encrypted Boundary'
+
+    def __init__(self, session, protocol):
+        """
+        [MS-WSMV] v30.0 2016-07-14
+
+        2.2.9.1 Encrypted Message Types
+        When using Encryption, there are three options available
+            1. Negotiate/SPNEGO
+            2. Kerberos
+            3. CredSSP
+        Details for each implementation can be found in this document under this section
+
+        This init sets the following values to use to encrypt and decrypt. This is to help generify
+        the methods used in the body of the class.
+            wrap: A method that will return the encrypted message and a signature
+            unwrap: A method that will return an unencrypted message and verify the signature
+            protocol_string: The protocol string used for the particular auth protocol
+
+        :param session: The handle of the session to get GSS-API wrap and unwrap methods
+        :param protocol: The auth protocol used, will determine the wrapping and unwrapping method plus
+                         the protocol string to use. Currently only NTLM and CredSSP is supported
+        """
+        self.protocol = protocol
+        self.session = session
+
+        if protocol == 'ntlm': # Details under Negotiate [2.2.9.1.1] in MS-WSMV
+            self.protocol_string = b"application/HTTP-SPNEGO-session-encrypted"
+            self._build_message = self._build_ntlm_message
+            self._decrypt_message = self._decrypt_ntlm_message
+        elif protocol == 'credssp': # Details under CredSSP [2.2.9.1.3] in MS-WSMV
+            self.protocol_string = b"application/HTTP-CredSSP-session-encrypted"
+            self._build_message = self._build_credssp_message
+            self._decrypt_message = self._decrypt_credssp_message
+        # TODO: Add support for Kerberos encryption
+        else:
+            raise WinRMError("Encryption for protocol '%s' not yet supported in pywinrm" % protocol)
+
+    def prepare_encrypted_request(self, session, endpoint, message):
+        """
+        Creates a prepared request to send to the server with an encrypted message
+        and correct headers
+
+        :param session: The handle of the session to prepare requests with
+        :param endpoint: The endpoint/server to prepare requests to
+        :param message: The unencrypted message to send to the server
+        :return: A prepared request that has an encrypted message
+        """
+        if self.protocol == 'credssp' and len(message) > self.SIXTEN_KB:
+            content_type = 'multipart/x-multi-encrypted'
+            encrypted_message = b''
+            message_chunks = [message[i:i+self.SIXTEN_KB] for i in range(0, len(message), self.SIXTEN_KB)]
+            for message_chunk in message_chunks:
+                encrypted_chunk = self._encrypt_message(message_chunk)
+                encrypted_message += encrypted_chunk
+        else:
+            content_type = 'multipart/encrypted'
+            encrypted_message = self._encrypt_message(message)
+        encrypted_message += self.MIME_BOUNDARY + b"--\r\n"
+
+        request = requests.Request('POST', endpoint, data=encrypted_message)
+        prepared_request = session.prepare_request(request)
+        prepared_request.headers['Content-Length'] = str(len(prepared_request.body))
+        prepared_request.headers['Content-Type'] = '{0};protocol="{1}";boundary="Encrypted Boundary"'\
+            .format(content_type, self.protocol_string.decode())
+
+        return prepared_request
+
+    def parse_encrypted_response(self, response):
+        """
+        Takes in the encrypted response from the server and decrypts it
+
+        :param response: The response that needs to be decrytped
+        :return: The unencrypted message from the server
+        """
+        content_type = response.headers['Content-Type']
+        if 'protocol="{0}"'.format(self.protocol_string.decode()) in content_type:
+            msg = self._decrypt_response(response)
+        else:
+            msg = response.text
+
+        return msg
+
+    def _encrypt_message(self, message):
+        message_length = str(len(message)).encode()
+        encrypted_stream = self._build_message(message)
+
+        message_payload = self.MIME_BOUNDARY + b"\r\n" \
+                          b"\tContent-Type: " + self.protocol_string + b"\r\n" \
+                          b"\tOriginalContent: type=application/soap+xml;charset=UTF-8;Length=" + message_length + b"\r\n" + \
+                          self.MIME_BOUNDARY + b"\r\n" \
+                          b"\tContent-Type: application/octet-stream\r\n" + \
+                          encrypted_stream
+
+        return message_payload
+
+    def _decrypt_response(self, response):
+        parts = response.content.split(self.MIME_BOUNDARY + b'\r\n')
+        parts = list(filter(None, parts)) # filter out empty parts of the split
+        message = b''
+
+        for i in range(0, len(parts)):
+            if i % 2 == 1:
+                continue
+
+            header = parts[i].strip()
+            payload = parts[i + 1]
+
+            expected_length = int(header.split(b'Length=')[1])
+
+            # remove the end MIME block if it exists
+            if payload.endswith(self.MIME_BOUNDARY + b'--\r\n'):
+                payload = payload[:len(payload) - 24]
+
+            encrypted_data = payload.replace(b'\tContent-Type: application/octet-stream\r\n', b'')
+            decrypted_message = self._decrypt_message(encrypted_data)
+            actual_length = len(decrypted_message)
+
+            if actual_length != expected_length:
+                raise WinRMError('Encrypted length from server does not match the '
+                                 'expected size, message has been tampered with')
+            message += decrypted_message
+
+        return message
+
+    def _decrypt_ntlm_message(self, encrypted_data):
+        signature_length = struct.unpack("<i", encrypted_data[:4])[0]
+        signature = encrypted_data[4:signature_length + 4]
+        encrypted_message = encrypted_data[signature_length + 4:]
+
+        message = self.session.auth.session_security.unwrap(encrypted_message, signature)
+
+        return message
+
+    def _decrypt_credssp_message(self, encrypted_data):
+        # trailer_length = struct.unpack("<i", encrypted_data[:4])[0]
+        encrypted_message = encrypted_data[4:]
+
+        message = self.session.auth.unwrap(encrypted_message)
+
+        return message
+
+    def _build_ntlm_message(self, message):
+        sealed_message, signature = self.session.auth.session_security.wrap(message)
+        signature_length = struct.pack("<i", len(signature))
+
+        return signature_length + signature + sealed_message
+
+    def _build_credssp_message(self, message):
+        sealed_message = self.session.auth.wrap(message)
+
+        trailer_length = self._get_credssp_trailer_length(len(message), self.session.auth.cipher_negotiated)
+
+        return struct.pack("<i", trailer_length) + sealed_message
+
+    def _get_credssp_trailer_length(self, message_length, cipher_suite):
+        # I really don't like the way this works but can't find a better way, MS
+        # allows you to get this info through the struct SecPkgContext_StreamSizes
+        # but there is no GSSAPI/OpenSSL equivalent so we need to calculate it
+        # ourselves
+
+        if re.match('^.*-GCM-[\w\d]*$', cipher_suite):
+            # We are using GCM for the cipher suite, GCM has a fixed length of 16
+            # bytes for the TLS trailer making it easy for us
+            trailer_length = 16
+        else:
+            # We are not using GCM so need to calculate the trailer size. The
+            # trailer length is equal to the length of the hmac + the length of the
+            # padding required by the block cipher
+            hash_algorithm = cipher_suite.split('-')[-1]
+
+            # while there are other algorithms, SChannel doesn't support them
+            # as of yet https://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx
+            if hash_algorithm == 'MD5':
+                hash_length = 16
+            elif hash_algorithm == 'SHA':
+                hash_length = 20
+            elif hash_algorithm == 'SHA256':
+                hash_length = 32
+            elif hash_algorithm == 'SHA384':
+                hash_length = 48
+            else:
+                hash_length = 0
+
+            pre_pad_length = message_length + hash_length
+
+            if "RC4" in cipher_suite:
+                # RC4 is a stream cipher so no padding would be added
+                padding_length = 0
+            elif "DES" in cipher_suite or "3DES" in cipher_suite:
+                # 3DES is a 64 bit block cipher
+                padding_length = 8 - (pre_pad_length % 8)
+            else:
+                # AES is a 128 bit block cipher
+                padding_length = 16 - (pre_pad_length % 16)
+
+            trailer_length = (pre_pad_length + padding_length) - message_length
+
+        return trailer_length
diff --git a/winrm/protocol.py b/winrm/protocol.py
index 70ff2f68..29a40967 100644
--- a/winrm/protocol.py
+++ b/winrm/protocol.py
@@ -30,6 +30,8 @@ def __init__(
             read_timeout_sec=DEFAULT_READ_TIMEOUT_SEC,
             operation_timeout_sec=DEFAULT_OPERATION_TIMEOUT_SEC,
             kerberos_hostname_override=None,
+            message_encryption='auto',
+            credssp_disable_tlsv1_2=False
         ):
         """
         @param string endpoint: the WinRM webservice endpoint
@@ -47,6 +49,7 @@ def __init__(
         @param int read_timeout_sec: maximum seconds to wait before an HTTP connect/read times out (default 30). This value should be slightly higher than operation_timeout_sec, as the server can block *at least* that long. # NOQA
         @param int operation_timeout_sec: maximum allowed time in seconds for any single wsman HTTP operation (default 20). Note that operation timeouts while receiving output (the only wsman operation that should take any significant time, and where these timeouts are expected) will be silently retried indefinitely. # NOQA
         @param string kerberos_hostname_override: the hostname to use for the kerberos exchange (defaults to the hostname in the endpoint URL)
+        @param bool message_encryption_enabled: Will encrypt the WinRM messages if set to True and the transport auth supports message encryption (Default True).
         """
 
         if operation_timeout_sec >= read_timeout_sec or operation_timeout_sec < 1:
@@ -65,7 +68,10 @@ def __init__(
             server_cert_validation=server_cert_validation,
             kerberos_delegation=kerberos_delegation,
             kerberos_hostname_override=kerberos_hostname_override,
-            auth_method=transport)
+            auth_method=transport,
+            message_encryption=message_encryption,
+            credssp_disable_tlsv1_2=credssp_disable_tlsv1_2
+        )
 
         self.username = username
         self.password = password
@@ -75,6 +81,7 @@ def __init__(
         self.server_cert_validation = server_cert_validation
         self.kerberos_delegation = kerberos_delegation
         self.kerberos_hostname_override = kerberos_hostname_override
+        self.credssp_disable_tlsv1_2 = credssp_disable_tlsv1_2
 
     def open_shell(self, i_stream='stdin', o_stream='stdout stderr',
                    working_directory=None, env_vars=None, noprofile=False,
diff --git a/winrm/tests/test_encryption.py b/winrm/tests/test_encryption.py
new file mode 100644
index 00000000..54bf07a2
--- /dev/null
+++ b/winrm/tests/test_encryption.py
@@ -0,0 +1,284 @@
+import base64
+import pytest
+import struct
+
+from winrm.encryption import Encryption
+from winrm.exceptions import WinRMError
+
+
+def test_init_with_invalid_protocol():
+    with pytest.raises(WinRMError) as excinfo:
+        Encryption(None, 'invalid_protocol')
+
+    assert "Encryption for protocol 'invalid_protocol' not yet supported in pywinrm" in str(excinfo.value)
+
+
+def test_encrypt_message():
+    test_session = SessionTest()
+    test_message = b"unencrypted message"
+    test_endpoint = b"endpoint"
+
+    encryption = Encryption(test_session, 'ntlm')
+
+    actual = encryption.prepare_encrypted_request(test_session, test_endpoint, test_message)
+    expected_encrypted_message = b"dW5lbmNyeXB0ZWQgbWVzc2FnZQ=="
+    expected_signature = b"1234"
+    signature_length = struct.pack("<i", len(expected_signature))
+
+    assert actual.headers == {
+        "Content-Length": "272",
+        "Content-Type": 'multipart/encrypted;protocol="application/HTTP-SPNEGO-session-encrypted";boundary="Encrypted Boundary"'
+    }
+    assert actual.body == b"--Encrypted Boundary\r\n" \
+                          b"\tContent-Type: application/HTTP-SPNEGO-session-encrypted\r\n" \
+                          b"\tOriginalContent: type=application/soap+xml;charset=UTF-8;Length=19\r\n" \
+                          b"--Encrypted Boundary\r\n" \
+                          b"\tContent-Type: application/octet-stream\r\n" + \
+                          signature_length + expected_signature + expected_encrypted_message + \
+                          b"--Encrypted Boundary--\r\n"
+
+
+def test_encrypt_large_credssp_message():
+    test_session = SessionTest()
+    test_message = b"unencrypted message " * 2048
+    test_endpoint = b"endpoint"
+    message_chunks = [test_message[i:i + 16384] for i in range(0, len(test_message), 16384)]
+
+    encryption = Encryption(test_session, 'credssp')
+
+    actual = encryption.prepare_encrypted_request(test_session, test_endpoint, test_message)
+    expected_encrypted_message1 = base64.b64encode(message_chunks[0])
+    expected_encrypted_message2 = base64.b64encode(message_chunks[1])
+    expected_encrypted_message3 = base64.b64encode(message_chunks[2])
+
+    assert actual.headers == {
+        "Content-Length": "55303",
+        "Content-Type": 'multipart/x-multi-encrypted;protocol="application/HTTP-CredSSP-session-encrypted";boundary="Encrypted Boundary"'
+    }
+
+    assert actual.body == b"--Encrypted Boundary\r\n" \
+                          b"\tContent-Type: application/HTTP-CredSSP-session-encrypted\r\n" \
+                          b"\tOriginalContent: type=application/soap+xml;charset=UTF-8;Length=16384\r\n" \
+                          b"--Encrypted Boundary\r\n" \
+                          b"\tContent-Type: application/octet-stream\r\n" + \
+                          struct.pack("<i", 32) + expected_encrypted_message1 + \
+                          b"--Encrypted Boundary\r\n" \
+                          b"\tContent-Type: application/HTTP-CredSSP-session-encrypted\r\n" \
+                          b"\tOriginalContent: type=application/soap+xml;charset=UTF-8;Length=16384\r\n" \
+                          b"--Encrypted Boundary\r\n" \
+                          b"\tContent-Type: application/octet-stream\r\n" + \
+                          struct.pack("<i", 32) + expected_encrypted_message2 + \
+                          b"--Encrypted Boundary\r\n" \
+                          b"\tContent-Type: application/HTTP-CredSSP-session-encrypted\r\n" \
+                          b"\tOriginalContent: type=application/soap+xml;charset=UTF-8;Length=8192\r\n" \
+                          b"--Encrypted Boundary\r\n" \
+                          b"\tContent-Type: application/octet-stream\r\n" + \
+                          struct.pack("<i", 32) + expected_encrypted_message3 + \
+                          b"--Encrypted Boundary--\r\n"
+
+
+def test_decrypt_message():
+    test_session = SessionTest()
+    test_encrypted_message = b"dW5lbmNyeXB0ZWQgbWVzc2FnZQ=="
+    test_signature = b"1234"
+    test_signature_length = struct.pack("<i", len(test_signature))
+    test_message = b"--Encrypted Boundary\r\n" \
+                   b"\tContent-Type: application/HTTP-SPNEGO-session-encrypted\r\n" \
+                   b"\tOriginalContent: type=application/soap+xml;charset=UTF-8;Length=19\r\n" \
+                   b"--Encrypted Boundary\r\n" \
+                   b"\tContent-Type: application/octet-stream\r\n" + \
+                   test_signature_length + test_signature + test_encrypted_message + \
+                   b"--Encrypted Boundary\r\n"
+    test_response = ResponseTest('protocol="application/HTTP-SPNEGO-session-encrypted"', test_message)
+
+    encryption = Encryption(test_session, 'ntlm')
+
+    actual = encryption.parse_encrypted_response(test_response)
+
+    assert actual == b'unencrypted message'
+
+
+def test_decrypt_message_boundary_with_end_hyphens():
+    test_session = SessionTest()
+    test_encrypted_message = b"dW5lbmNyeXB0ZWQgbWVzc2FnZQ=="
+    test_signature = b"1234"
+    test_signature_length = struct.pack("<i", len(test_signature))
+    test_message = b"--Encrypted Boundary\r\n" \
+                   b"\tContent-Type: application/HTTP-SPNEGO-session-encrypted\r\n" \
+                   b"\tOriginalContent: type=application/soap+xml;charset=UTF-8;Length=19\r\n" \
+                   b"--Encrypted Boundary\r\n" \
+                   b"\tContent-Type: application/octet-stream\r\n" + \
+                   test_signature_length + test_signature + test_encrypted_message + \
+                   b"--Encrypted Boundary--\r\n"
+    test_response = ResponseTest('protocol="application/HTTP-SPNEGO-session-encrypted"', test_message)
+
+    encryption = Encryption(test_session, 'ntlm')
+
+    actual = encryption.parse_encrypted_response(test_response)
+
+    assert actual == b'unencrypted message'
+
+
+def test_decrypt_message_length_mismatch():
+    test_session = SessionTest()
+    test_encrypted_message = b"dW5lbmNyeXB0ZWQgbWVzc2FnZQ=="
+    test_signature = b"1234"
+    test_signature_length = struct.pack("<i", len(test_signature))
+    test_message = b"--Encrypted Boundary\r\n" \
+                   b"\tContent-Type: application/HTTP-SPNEGO-session-encrypted\r\n" \
+                   b"\tOriginalContent: type=application/soap+xml;charset=UTF-8;Length=20\r\n" \
+                   b"--Encrypted Boundary\r\n" \
+                   b"\tContent-Type: application/octet-stream\r\n" + \
+                   test_signature_length + test_signature + test_encrypted_message + \
+                   b"--Encrypted Boundary--\r\n"
+    test_response = ResponseTest('protocol="application/HTTP-SPNEGO-session-encrypted"', test_message)
+
+    encryption = Encryption(test_session, 'ntlm')
+
+    with pytest.raises(WinRMError) as excinfo:
+        encryption.parse_encrypted_response(test_response)
+
+    assert "Encrypted length from server does not match the expected size, message has been tampered with" in str(excinfo.value)
+
+
+def test_decrypt_large_credssp_message():
+    test_session = SessionTest()
+
+    test_unencrypted_message = b"unencrypted message " * 2048
+    test_encrypted_message_chunks = [test_unencrypted_message[i:i + 16384] for i in range(0, len(test_unencrypted_message), 16384)]
+
+    test_encrypted_message1 = base64.b64encode(test_encrypted_message_chunks[0])
+    test_encrypted_message2 = base64.b64encode(test_encrypted_message_chunks[1])
+    test_encrypted_message3 = base64.b64encode(test_encrypted_message_chunks[2])
+
+    test_message = b"--Encrypted Boundary\r\n" \
+                   b"\tContent-Type: application/HTTP-CredSSP-session-encrypted\r\n" \
+                   b"\tOriginalContent: type=application/soap+xml;charset=UTF-8;Length=16384\r\n" \
+                   b"--Encrypted Boundary\r\n" \
+                   b"\tContent-Type: application/octet-stream\r\n" + \
+                   struct.pack("<i", 5443) + test_encrypted_message1 + \
+                   b"--Encrypted Boundary\r\n" \
+                   b"\tContent-Type: application/HTTP-CredSSP-session-encrypted\r\n" \
+                   b"\tOriginalContent: type=application/soap+xml;charset=UTF-8;Length=16384\r\n" \
+                   b"--Encrypted Boundary\r\n" \
+                   b"\tContent-Type: application/octet-stream\r\n" + \
+                   struct.pack("<i", 5443) + test_encrypted_message2 + \
+                   b"--Encrypted Boundary\r\n" \
+                   b"\tContent-Type: application/HTTP-CredSSP-session-encrypted\r\n" \
+                   b"\tOriginalContent: type=application/soap+xml;charset=UTF-8;Length=8192\r\n" \
+                   b"--Encrypted Boundary\r\n" \
+                   b"\tContent-Type: application/octet-stream\r\n" + \
+                   struct.pack("<i", 2711) + test_encrypted_message3 + \
+                   b"--Encrypted Boundary--\r\n"
+
+    test_response = ResponseTest('protocol="application/HTTP-CredSSP-session-encrypted"', test_message)
+
+    encryption = Encryption(test_session, 'credssp')
+
+    actual = encryption.parse_encrypted_response(test_response)
+
+    assert actual == test_unencrypted_message
+
+
+def test_decrypt_message_decryption_not_needed():
+    test_session = SessionTest()
+    test_response = ResponseTest('application/soap+xml', 'unencrypted message')
+
+    encryption = Encryption(test_session, 'ntlm')
+
+    actual = encryption.parse_encrypted_response(test_response)
+
+    assert actual == 'unencrypted message'
+
+
+def test_get_credssp_trailer_length_gcm():
+    test_session = SessionTest()
+    encryption = Encryption(test_session, 'credssp')
+    expected = 16
+    actual = encryption._get_credssp_trailer_length(30, 'ECDHE-RSA-AES128-GCM-SHA256')
+
+    assert actual == expected
+
+
+def test_get_credssp_trailer_length_md5_rc4():
+    test_session = SessionTest()
+    encryption = Encryption(test_session, 'credssp')
+    expected = 16
+    actual = encryption._get_credssp_trailer_length(30, 'RC4-MD5')
+
+    assert actual == expected
+
+
+def test_get_credssp_trailer_length_sha256_3des():
+    test_session = SessionTest()
+    encryption = Encryption(test_session, 'credssp')
+    expected = 34
+    actual = encryption._get_credssp_trailer_length(30, 'ECDH-ECDSA-3DES-SHA256')
+
+    assert actual == expected
+
+
+def test_get_credssp_trailer_length_sha384_aes():
+    test_session = SessionTest()
+    encryption = Encryption(test_session, 'credssp')
+    expected = 50
+    actual = encryption._get_credssp_trailer_length(30, 'ECDH-RSA-AES-SHA384')
+
+    assert actual == expected
+
+
+def test_get_credssp_trailer_length_no_hash():
+    test_session = SessionTest()
+    encryption = Encryption(test_session, 'credssp')
+    expected = 2
+    actual = encryption._get_credssp_trailer_length(30, 'ECDH-RSA-AES')
+
+    assert actual == expected
+
+
+class SessionTest(object):
+    def __init__(self):
+        self.auth = AuthTest()
+
+    def prepare_request(self, request):
+        request.body = request.data
+        return request
+
+
+class AuthTest(object):
+    def __init__(self):
+        # used with NTLM
+        self.session_security = SessionSecurityTest()
+        # used with CredSSP
+        self.cipher_negotiated = 'ECDH-RSA-AES256-SHA'
+
+    # used with CredSSP
+    def wrap(self, message):
+        encoded_message, signature = self.session_security.wrap(message)
+        return encoded_message
+
+    # used with CredSSP
+    def unwrap(self, message):
+        decoded_mesage = self.session_security.unwrap(message, b"1234")
+        return decoded_mesage
+
+
+class SessionSecurityTest(object):
+    def wrap(self, message):
+        encoded_message = base64.b64encode(message)
+        signature = b"1234"
+        return encoded_message, signature
+
+    def unwrap(self, message, signature):
+        assert signature == b"1234"
+        decoded_message = base64.b64decode(message)
+        return decoded_message
+
+
+class ResponseTest(object):
+    def __init__(self, content_type, content):
+        self.headers = {
+            'Content-Type': content_type
+        }
+        self.content = content
+        self.text = content
diff --git a/winrm/transport.py b/winrm/transport.py
index bb2f881a..ef5b048f 100644
--- a/winrm/transport.py
+++ b/winrm/transport.py
@@ -9,10 +9,12 @@
 
 if is_py2:
     from urlparse import urlsplit, urlunsplit
+
     # use six for this instead?
     unicode_type = type(u'')
 else:
     from urllib.parse import urlsplit, urlunsplit
+
     # use six for this instead?
     unicode_type = type(u'')
 
@@ -26,6 +28,7 @@
 HAVE_KERBEROS = False
 try:
     from requests_kerberos import HTTPKerberosAuth, REQUIRED, OPTIONAL, DISABLED
+
     HAVE_KERBEROS = True
 except ImportError:
     pass
@@ -33,6 +36,7 @@
 HAVE_NTLM = False
 try:
     from requests_ntlm import HttpNtlmAuth
+
     HAVE_NTLM = True
 except ImportError as ie:
     pass
@@ -40,26 +44,28 @@
 HAVE_CREDSSP = False
 try:
     from requests_credssp import HttpCredSSPAuth
+
     HAVE_CREDSSP = True
 except ImportError as ie:
     pass
 
 from winrm.exceptions import BasicAuthDisabledError, InvalidCredentialsError, \
     WinRMError, WinRMTransportError, WinRMOperationTimeoutError
+from winrm.encryption import Encryption
 
 __all__ = ['Transport']
 
-import ssl
 
 class Transport(object):
-    
     def __init__(
             self, endpoint, username=None, password=None, realm=None,
             service=None, keytab=None, ca_trust_path=None, cert_pem=None,
             cert_key_pem=None, read_timeout_sec=None, server_cert_validation='validate',
             kerberos_delegation=False,
             kerberos_hostname_override=None,
-            auth_method='auto'):
+            auth_method='auto',
+            message_encryption='auto',
+            credssp_disable_tlsv1_2=False):
         self.endpoint = endpoint
         self.username = username
         self.password = password
@@ -72,6 +78,8 @@ def __init__(
         self.read_timeout_sec = read_timeout_sec
         self.server_cert_validation = server_cert_validation
         self.kerberos_hostname_override = kerberos_hostname_override
+        self.message_encryption = message_encryption
+        self.credssp_disable_tlsv1_2 = credssp_disable_tlsv1_2
 
         if self.server_cert_validation not in [None, 'validate', 'ignore']:
             raise WinRMError('invalid server_cert_validation mode: %s' % self.server_cert_validation)
@@ -92,19 +100,22 @@ def __init__(
         try:
             from requests.packages.urllib3.exceptions import InsecurePlatformWarning
             warnings.simplefilter('ignore', category=InsecurePlatformWarning)
-        except: pass # oh well, we tried...
+        except:
+            pass  # oh well, we tried...
 
         try:
             from requests.packages.urllib3.exceptions import SNIMissingWarning
             warnings.simplefilter('ignore', category=SNIMissingWarning)
-        except: pass # oh well, we tried...
+        except:
+            pass  # oh well, we tried...
 
         # if we're explicitly ignoring validation, try to suppress InsecureRequestWarning, since the user opted-in
         if self.server_cert_validation == 'ignore':
             try:
                 from requests.packages.urllib3.exceptions import InsecureRequestWarning
                 warnings.simplefilter('ignore', category=InsecureRequestWarning)
-            except: pass # oh well, we tried...
+            except:
+                pass  # oh well, we tried...
 
         # validate credential requirements for various auth types
         if self.auth_method != 'kerberos':
@@ -125,6 +136,12 @@ def __init__(
 
         self.session = None
 
+        # Used for encrypting messages
+        self.encryption = None  # The Pywinrm Encryption class used to encrypt/decrypt messages
+        if self.message_encryption not in ['auto', 'always', 'never']:
+            raise WinRMError(
+                "invalid message_encryption arg: %s. Should be 'auto', 'always', or 'never'" % self.message_encryption)
+
     def build_session(self):
         session = requests.Session()
 
@@ -138,6 +155,7 @@ def build_session(self):
         # we're only applying proxies from env, other settings are ignored
         session.proxies = settings['proxies']
 
+        encryption_available = False
         if self.auth_method == 'kerberos':
             if not HAVE_KERBEROS:
                 raise WinRMError("requested auth method is kerberos, but requests_kerberos is not installed")
@@ -146,7 +164,7 @@ def build_session(self):
                                             force_preemptive=True, principal=self.username,
                                             hostname_override=self.kerberos_hostname_override,
                                             sanitize_mutual_error_response=False)
-        elif self.auth_method in ['certificate','ssl']:
+        elif self.auth_method in ['certificate', 'ssl']:
             if self.auth_method == 'ssl' and not self.cert_pem and not self.cert_key_pem:
                 # 'ssl' was overloaded for HTTPS with optional certificate auth,
                 # fall back to basic auth if no cert specified
@@ -159,47 +177,71 @@ def build_session(self):
             if not HAVE_NTLM:
                 raise WinRMError("requested auth method is ntlm, but requests_ntlm is not installed")
             session.auth = HttpNtlmAuth(username=self.username, password=self.password)
+            # check if requests_ntlm has the session_security attribute available for encryption
+            encryption_available = hasattr(session.auth, 'session_security')
         # TODO: ssl is not exactly right here- should really be client_cert
-        elif self.auth_method in ['basic','plaintext']:
+        elif self.auth_method in ['basic', 'plaintext']:
             session.auth = requests.auth.HTTPBasicAuth(username=self.username, password=self.password)
         elif self.auth_method == 'credssp':
             if not HAVE_CREDSSP:
                 raise WinRMError("requests auth method is credssp, but requests-credssp is not installed")
-            session.auth = HttpCredSSPAuth(username=self.username, password=self.password)
-
+            session.auth = HttpCredSSPAuth(username=self.username, password=self.password,
+                                               disable_tlsv1_2=self.credssp_disable_tlsv1_2)
+            encryption_available = hasattr(session.auth, 'wrap') and hasattr(session.auth, 'unwrap')
         else:
             raise WinRMError("unsupported auth method: %s" % self.auth_method)
 
         session.headers.update(self.default_headers)
-
-        return session
+        self.session = session
+
+        # Will check the current config and see if we need to setup message encryption
+        if self.message_encryption == 'always' and not encryption_available:
+            raise WinRMError(
+                "message encryption is set to 'always' but the selected auth method %s does not support it" % self.auth_method)
+        elif encryption_available:
+            if self.message_encryption == 'always':
+                self.setup_encryption()
+            elif self.message_encryption == 'auto' and not self.endpoint.lower().startswith('https'):
+                self.setup_encryption()
+
+    def setup_encryption(self):
+        # Security context doesn't exist, sending blank message to initialise context
+        request = requests.Request('POST', self.endpoint, data=None)
+        prepared_request = self.session.prepare_request(request)
+        self._send_message_request(prepared_request, '')
+        self.encryption = Encryption(self.session, self.auth_method)
 
     def send_message(self, message):
-        # TODO support kerberos/ntlm session with message encryption
-
         if not self.session:
-            self.session = self.build_session()
+            self.build_session()
 
         # urllib3 fails on SSL retries with unicode buffers- must send it a byte string
         # see https://github.com/shazow/urllib3/issues/717
         if isinstance(message, unicode_type):
             message = message.encode('utf-8')
 
-        request = requests.Request('POST', self.endpoint, data=message)
-        prepared_request = self.session.prepare_request(request)
+        if self.encryption:
+            prepared_request = self.encryption.prepare_encrypted_request(self.session, self.endpoint, message)
+        else:
+            request = requests.Request('POST', self.endpoint, data=message)
+            prepared_request = self.session.prepare_request(request)
 
+        response = self._send_message_request(prepared_request, message)
+        return self._get_message_response_text(response)
+
+    def _send_message_request(self, prepared_request, message):
         try:
             response = self.session.send(prepared_request, timeout=self.read_timeout_sec)
-            response_text = response.text
             response.raise_for_status()
-            return response_text
+            return response
         except requests.HTTPError as ex:
             if ex.response.status_code == 401:
                 raise InvalidCredentialsError("the specified credentials were rejected by the server")
             if ex.response.content:
-                response_text = ex.response.content
+                response_text = self._get_message_response_text(ex.response)
             else:
                 response_text = ''
+
             # Per http://msdn.microsoft.com/en-us/library/cc251676.aspx rule 3,
             # should handle this 500 error and retry receiving command output.
             if b'http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive' in message and b'Code="2150858793"' in response_text:
@@ -208,3 +250,10 @@ def send_message(self, message):
             error_message = 'Bad HTTP response returned from server. Code {0}'.format(ex.response.status_code)
 
             raise WinRMTransportError('http', error_message)
+
+    def _get_message_response_text(self, response):
+        if self.encryption:
+            response_text = self.encryption.parse_encrypted_response(response)
+        else:
+            response_text = response.content
+        return response_text