diff --git a/modules/demux/Modules.am b/modules/demux/Modules.am
index 33c3ad38b9e82c13a08f0d7487bac31f5797abfa..8a3d0049c36c37deb2860084a61243522f1cd06d 100644
--- a/modules/demux/Modules.am
+++ b/modules/demux/Modules.am
@@ -12,7 +12,6 @@ SOURCES_mkv = mkv.cpp mp4/libmp4.c mp4/drms.c
 SOURCES_live555 = live555.cpp ../access/mms/asf.c ../access/mms/buffer.c
 SOURCES_nsv = nsv.c
 SOURCES_real = real.c
-SOURCES_rtp = rtp.c rtp.h rtpsession.c
 SOURCES_ts = ts.c ../mux/mpeg/csa.c
 SOURCES_ps = ps.c ps.h
 SOURCES_mod = mod.c
@@ -37,3 +36,11 @@ SOURCES_smf = smf.c
 libvlc_LTLIBRARIES += \
 	librtp_plugin.la \
 	$(NULL)
+
+# RTP plugin
+librtp_plugin_la_SOURCES = \
+	rtp.c rtp.h rtpsession.c
+librtp_plugin_la_CFLAGS = $(AM_CFLAGS) -I$(top_srcdir)/libs/srtp
+librtp_plugin_la_LIBADD = $(LTLIBVLCCORE) \
+	$(top_builddir)/libs/srtp/libvlc_srtp.la
+
diff --git a/modules/demux/rtp.c b/modules/demux/rtp.c
index 7f273630269a7817419101be64e467f035f61bd6..8f917efce2ee6cdc4ad55d073cf54f6cf4499c29 100644
--- a/modules/demux/rtp.c
+++ b/modules/demux/rtp.c
@@ -39,11 +39,21 @@
 #include <vlc_codecs.h>
 
 #include "rtp.h"
+#include <srtp.h>
 
 #define RTP_CACHING_TEXT N_("RTP de-jitter buffer length (msec)")
 #define RTP_CACHING_LONGTEXT N_( \
     "How long to wait for late RTP packets (and delay the performance)." )
 
+#define SRTP_KEY_TEXT N_("SRTP key (hexadecimal)")
+#define SRTP_KEY_LONGTEXT N_( \
+    "RTP packets will be authenticated and deciphered "\
+    "with this Secure RTP master shared secret key.")
+
+#define SRTP_SALT_TEXT N_("SRTP salt (hexadecimal)")
+#define SRTP_SALT_LONGTEXT N_( \
+    "Secure RTP requires a (non-secret) master salt value.")
+
 #define RTP_MAX_SRC_TEXT N_("Maximum RTP sources")
 #define RTP_MAX_SRC_LONGTEXT N_( \
     "How many distinct active RTP sources are allowed at a time." )
@@ -79,6 +89,10 @@ vlc_module_begin ();
     add_integer ("rtp-caching", 1000, NULL, RTP_CACHING_TEXT,
                  RTP_CACHING_LONGTEXT, true);
         change_integer_range (0, 65535);
+    add_string ("srtp-key", "", NULL,
+                SRTP_KEY_TEXT, SRTP_KEY_LONGTEXT, false);
+    add_string ("srtp-salt", "", NULL,
+                SRTP_SALT_TEXT, SRTP_SALT_LONGTEXT, false);
     add_integer ("rtp-max-src", 1, NULL, RTP_MAX_SRC_TEXT,
                  RTP_MAX_SRC_LONGTEXT, true);
         change_integer_range (1, 255);
@@ -200,8 +214,13 @@ static int Open (vlc_object_t *obj)
     /* Initializes demux */
     demux_sys_t *p_sys = malloc (sizeof (*p_sys));
     if (p_sys == NULL)
-        goto error;
+    {
+        net_Close (fd);
+        return VLC_EGENERIC;
+    }
 
+    p_sys->srtp         = NULL;
+    p_sys->fd           = fd;
     p_sys->caching      = var_CreateGetInteger (obj, "rtp-caching");
     p_sys->max_src      = var_CreateGetInteger (obj, "rtp-max-src");
     p_sys->timeout      = var_CreateGetInteger (obj, "rtp-timeout");
@@ -218,12 +237,32 @@ static int Open (vlc_object_t *obj)
     if (p_sys->session == NULL)
         goto error;
 
-    p_sys->fd = fd;
+    char *key = var_GetNonEmptyString (demux, "srtp-key");
+    if (key)
+    {
+        p_sys->srtp = srtp_create (SRTP_ENCR_AES_CM, SRTP_AUTH_HMAC_SHA1, 10,
+                                   SRTP_PRF_AES_CM, 0);
+        if (p_sys->srtp == NULL)
+        {
+            free (key);
+            goto error;
+        }
+
+        char *salt = var_GetNonEmptyString (demux, "srtp-salt");
+        errno = srtp_setkeystring (p_sys->srtp, key, salt ? salt : "");
+        free (salt);
+        free (key);
+        if (errno)
+        {
+            msg_Err (obj, "bad SRTP key/salt combination (%m)");
+            goto error;
+        }
+    }
+
     return VLC_SUCCESS;
 
 error:
-    net_Close (fd);
-    free (p_sys);
+    Close (obj);
     return VLC_EGENERIC;
 }
 
@@ -236,7 +275,10 @@ static void Close (vlc_object_t *obj)
     demux_t *demux = (demux_t *)obj;
     demux_sys_t *p_sys = demux->p_sys;
 
-    rtp_session_destroy (demux, p_sys->session);
+    if (p_sys->srtp)
+        srtp_destroy (p_sys->srtp);
+    if (p_sys->session)
+        rtp_session_destroy (demux, p_sys->session);
     net_Close (p_sys->fd);
     free (p_sys);
 }
@@ -580,6 +622,17 @@ static int Demux (demux_t *demux)
     if (ptype >= 72 && ptype <= 76)
         goto drop; /* Muxed RTCP, ignore for now */
 
+    if (p_sys->srtp)
+    {
+        size_t len = block->i_buffer;
+        if (srtp_recv (p_sys->srtp, block->p_buffer, &len))
+        {
+            msg_Dbg (demux, "SRTP authentication/decryption failed");
+            goto drop;
+        }
+        block->i_buffer = len;
+    }
+
     /* Not using SDP, we need to guess the payload format used */
     /* see http://www.iana.org/assignments/rtp-parameters */
     if (p_sys->autodetect)
diff --git a/modules/demux/rtp.h b/modules/demux/rtp.h
index f18a99860ac8e0810a955e32c502accfd9b89b5a..e363878a8be3e32b9fd365213437a52b1b452840 100644
--- a/modules/demux/rtp.h
+++ b/modules/demux/rtp.h
@@ -43,6 +43,7 @@ int rtp_add_type (demux_t *demux, rtp_session_t *ses, const rtp_pt_t *pt);
 struct demux_sys_t
 {
     rtp_session_t *session;
+    struct srtp_session_t *srtp;
     int           fd;
 
     unsigned      caching;