diff --git a/hey.go b/hey.go
index f727e26b..d57cf775 100644
--- a/hey.go
+++ b/hey.go
@@ -48,6 +48,7 @@ var (
 	authHeader  = flag.String("a", "", "")
 	hostHeader  = flag.String("host", "", "")
 	userAgent   = flag.String("U", "", "")
+	keyLogFile  = flag.String("k", "", "")
 
 	output = flag.String("o", "", "")
 
@@ -92,6 +93,7 @@ Options:
   -a  Basic authentication, username:password.
   -x  HTTP Proxy address as host:port.
   -h2 Enable HTTP/2.
+  -k  Enable keylog writer for decrypting TLS in a network traffic capture. INSECURE; only used for debugging. Example: -k <file>
 
   -host	HTTP Host header.
 
@@ -232,6 +234,7 @@ func main() {
 		DisableKeepAlives:  *disableKeepAlives,
 		DisableRedirects:   *disableRedirects,
 		H2:                 *h2,
+		KeyLogFile:         *keyLogFile,
 		ProxyAddr:          proxyURL,
 		Output:             *output,
 	}
diff --git a/requester/requester.go b/requester/requester.go
index fd7277e7..6c5c6722 100644
--- a/requester/requester.go
+++ b/requester/requester.go
@@ -20,6 +20,7 @@ import (
 	"crypto/tls"
 	"io"
 	"io/ioutil"
+	"log"
 	"net/http"
 	"net/http/httptrace"
 	"net/url"
@@ -66,6 +67,9 @@ type Work struct {
 	// H2 is an option to make HTTP/2 requests
 	H2 bool
 
+	// Log to a keylog file to allow the user to decrypt TLS traffic in a network packet capture
+	KeyLogFile string
+
 	// Timeout in seconds.
 	Timeout int
 
@@ -235,10 +239,25 @@ func (b *Work) runWorkers() {
 	var wg sync.WaitGroup
 	wg.Add(b.C)
 
+	var keyLogWriter io.Writer
+	if b.KeyLogFile != "" {
+		log.Printf("!!!!! WARNING !!!!! Logging TLS secrets to %v. Your TLS traffic can be decrypted with this file.", b.KeyLogFile)
+
+		var err error
+		// Append so that you can run `hey` multiple times and still log to a single keyfile
+		keyLogWriter, err = os.OpenFile(b.KeyLogFile, os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0600)
+
+		if err != nil {
+			log.Fatalf("Failed to open keylog file for writing: %v", err)
+			os.Exit(1)
+		}
+	}
+
 	tr := &http.Transport{
 		TLSClientConfig: &tls.Config{
 			InsecureSkipVerify: true,
 			ServerName:         b.Request.Host,
+			KeyLogWriter:       keyLogWriter,
 		},
 		MaxIdleConnsPerHost: min(b.C, maxIdleConn),
 		DisableCompression:  b.DisableCompression,