diff --git a/dtlstransport.go b/dtlstransport.go
index df3472cf..d468eca7 100644
--- a/dtlstransport.go
+++ b/dtlstransport.go
@@ -342,6 +342,7 @@ func (t *DTLSTransport) Start(remoteParameters DTLSParameters) error {
 	dtlsConfig.ExtendedMasterSecret = t.api.settingEngine.dtls.extendedMasterSecret
 	dtlsConfig.ClientCAs = t.api.settingEngine.dtls.clientCAs
 	dtlsConfig.RootCAs = t.api.settingEngine.dtls.rootCAs
+	dtlsConfig.KeyLogWriter = t.api.settingEngine.dtls.keyLogWriter
 
 	// Connect as DTLS Client/Server, function is blocking and we
 	// must not hold the DTLSTransport lock
diff --git a/settingengine.go b/settingengine.go
index 987667cf..921c94b2 100644
--- a/settingengine.go
+++ b/settingengine.go
@@ -71,6 +71,7 @@ type SettingEngine struct {
 		clientAuth                *dtls.ClientAuthType
 		clientCAs                 *x509.CertPool
 		rootCAs                   *x509.CertPool
+		keyLogWriter              io.Writer
 	}
 	sctp struct {
 		maxReceiveBufferSize uint32
@@ -422,6 +423,12 @@ func (e *SettingEngine) SetDTLSRootCAs(rootCAs *x509.CertPool) {
 	e.dtls.rootCAs = rootCAs
 }
 
+// SetDTLSKeyLogWriter sets the destination of the TLS key material for debugging.
+// Logging key material compromises security and should only be use for debugging.
+func (e *SettingEngine) SetDTLSKeyLogWriter(writer io.Writer) {
+	e.dtls.keyLogWriter = writer
+}
+
 // SetSCTPMaxReceiveBufferSize sets the maximum receive buffer size.
 // Leave this 0 for the default maxReceiveBufferSize.
 func (e *SettingEngine) SetSCTPMaxReceiveBufferSize(maxReceiveBufferSize uint32) {