Index: server/common/patches/openafs-pts-encrypt.patch
===================================================================
--- server/common/patches/openafs-pts-encrypt.patch	(revision 907)
+++ server/common/patches/openafs-pts-encrypt.patch	(revision 907)
@@ -0,0 +1,47 @@
+diff --git a/src/ptserver/pts.c b/src/ptserver/pts.c
+index 7b90a92..1a329c1 100644
+--- a/src/ptserver/pts.c
++++ b/src/ptserver/pts.c
+@@ -176,6 +176,10 @@ GetGlobals(struct cmd_syndesc *as, void *arock)
+ 	changed = 1;
+ 	sec = 1;
+     }
++    if (as->parms[22].items) { /* -encrypt */
++	changed = 1;
++	sec = 3;
++    }
+     if (as->parms[18].items || as->parms[20].items) {	/* -test, -localauth */
+ 	changed = 1;
+ 	confdir = AFSDIR_SERVER_ETC_DIRPATH;
+@@ -1022,6 +1026,8 @@ add_std_args(register struct cmd_syndesc *ts)
+ 		"use local authentication");
+     cmd_AddParm(ts, "-auth", CMD_FLAG, CMD_OPTIONAL,
+ 		"use user's authentication (default)");
++    cmd_AddParm(ts, "-encrypt", CMD_FLAG, CMD_OPTIONAL,
++		"encrypt commands");
+ }
+ 
+ /*
+diff --git a/src/ptserver/ptuser.c b/src/ptserver/ptuser.c
+index fcd9d69..a5f7d16 100644
+--- a/src/ptserver/ptuser.c
++++ b/src/ptserver/ptuser.c
+@@ -203,6 +203,8 @@ pr_Initialize(IN afs_int32 secLevel, IN char *confDir, IN char *cell)
+ 	code = ktc_GetToken(&sname, &ttoken, sizeof(ttoken), NULL);
+ 	if (code) {
+ 	    afs_com_err(whoami, code, "(getting token)");
++	    if (secLevel > 1)
++		return code;
+ 	    scIndex = 0;
+ 	} else {
+ 	    if (ttoken.kvno >= 0 && ttoken.kvno <= 256)
+@@ -215,7 +217,8 @@ pr_Initialize(IN afs_int32 secLevel, IN char *confDir, IN char *cell)
+ 		scIndex = 2;
+ 	    }
+ 	    sc[2] =
+-		rxkad_NewClientSecurityObject(rxkad_clear, &ttoken.sessionKey,
++		rxkad_NewClientSecurityObject((secLevel > 1) ? rxkad_crypt :
++					      rxkad_clear, &ttoken.sessionKey,
+ 					      ttoken.kvno, ttoken.ticketLen,
+ 					      ttoken.ticket);
+ 	}