diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index 32db9839db..93a2a29aed 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -38,6 +38,8 @@ module Libvirtd_qemu =
                  | bool_entry "spice_tls"
                  | str_entry  "spice_tls_x509_cert_dir"
                  | str_entry "spice_password"
+                 | bool_entry "spice_sasl"
+                 | str_entry "spice_sasl_dir"
 
    let nogfx_entry = bool_entry "nographics_allow_host_audio"
 
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index bf57b9cf45..e5ff33d522 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -140,6 +140,22 @@
 #spice_password = "XYZ12345"
 
 
+# Enable use of SASL encryption on the SPICE server. This requires
+# a SPICE client which supports the SASL protocol extension.
+#
+# It is necessary to configure /etc/sasl2/qemu.conf to choose
+# the desired SASL plugin (eg, GSSPI for Kerberos)
+#
+#spice_sasl = 1
+
+# The default SASL configuration file is located in /etc/sasl2/
+# When running libvirtd unprivileged, it may be desirable to
+# override the configs in this location. Set this parameter to
+# point to the directory, and create a qemu.conf in that location
+#
+#spice_sasl_dir = "/some/directory/sasl2"
+
+
 # By default, if no graphical front end is configured, libvirt will disable
 # QEMU audio output since directly talking to alsa/pulseaudio may not work
 # with various security settings. If you know what you're doing, enable
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index abb62e9236..814f368e06 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -7191,6 +7191,16 @@ qemuBuildGraphicsSPICECommandLine(virQEMUDriverConfigPtr cfg,
         virBufferAsprintf(&opt, "tls-port=%u", tlsPort);
     }
 
+    if (cfg->spiceSASL) {
+        virBufferAddLit(&opt, ",sasl");
+
+        if (cfg->spiceSASLdir)
+            virCommandAddEnvPair(cmd, "SASL_CONF_PATH",
+                                 cfg->spiceSASLdir);
+
+        /* TODO: Support ACLs later */
+    }
+
     switch (virDomainGraphicsListenGetType(graphics, 0)) {
     case VIR_DOMAIN_GRAPHICS_LISTEN_TYPE_ADDRESS:
         listenAddr = virDomainGraphicsListenGetAddress(graphics, 0);
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 44a2296dd8..8d7bee8296 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -284,6 +284,7 @@ static void virQEMUDriverConfigDispose(void *obj)
     VIR_FREE(cfg->spiceTLSx509certdir);
     VIR_FREE(cfg->spiceListen);
     VIR_FREE(cfg->spicePassword);
+    VIR_FREE(cfg->spiceSASLdir);
 
     VIR_FREE(cfg->hugetlbfsMount);
     VIR_FREE(cfg->hugepagePath);
@@ -397,6 +398,8 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
 
     GET_VALUE_BOOL("spice_tls", cfg->spiceTLS);
     GET_VALUE_STR("spice_tls_x509_cert_dir", cfg->spiceTLSx509certdir);
+    GET_VALUE_BOOL("spice_sasl", cfg->spiceSASL);
+    GET_VALUE_STR("spice_sasl_dir", cfg->spiceSASLdir);
     GET_VALUE_STR("spice_listen", cfg->spiceListen);
     GET_VALUE_STR("spice_password", cfg->spicePassword);
 
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index ea3c69111d..d8304af93c 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -111,6 +111,8 @@ struct _virQEMUDriverConfig {
 
     bool spiceTLS;
     char *spiceTLSx509certdir;
+    bool spiceSASL;
+    char *spiceSASLdir;
     char *spiceListen;
     char *spicePassword;
 
diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in
index 7af3f64786..7417d124e3 100644
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -15,6 +15,8 @@ module Test_libvirtd_qemu =
 { "spice_tls" = "1" }
 { "spice_tls_x509_cert_dir" = "/etc/pki/libvirt-spice" }
 { "spice_password" = "XYZ12345" }
+{ "spice_sasl" = "1" }
+{ "spice_sasl_dir" = "/some/directory/sasl2" }
 { "nographics_allow_host_audio" = "1" }
 { "remote_display_port_min" = "5900" }
 { "remote_display_port_max" = "65535" }
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-sasl.args b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-sasl.args
new file mode 100644
index 0000000000..8847bcef9a
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-sasl.args
@@ -0,0 +1,9 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test \
+SASL_CONF_PATH=/root/.sasl2 QEMU_AUDIO_DRV=spice \
+/usr/bin/qemu -S -M pc -m 214 -smp 1 -nodefaults \
+-monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -usb -hda \
+/dev/HostVG/QEMUGuest1 \
+-spice port=5903,tls-port=5904,sasl,addr=127.0.0.1,\
+x509-dir=/etc/pki/libvirt-spice,tls-channel=default \
+-vga qxl -global qxl.ram_size=67108864 -global \
+qxl.vram_size=18874368 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-sasl.xml b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-sasl.xml
new file mode 100644
index 0000000000..eb630fa545
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-sasl.xml
@@ -0,0 +1,35 @@
+<domain type='qemu'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory unit='KiB'>219100</memory>
+  <currentMemory unit='KiB'>219100</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='i686' machine='pc'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu</emulator>
+    <disk type='block' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source dev='/dev/HostVG/QEMUGuest1'/>
+      <target dev='hda' bus='ide'/>
+      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+    </disk>
+    <controller type='usb' index='0'/>
+    <controller type='ide' index='0'/>
+    <controller type='pci' index='0' model='pci-root'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='spice' port='5903' tlsPort='5904' autoport='no' listen='127.0.0.1' defaultMode='secure'>
+      <listen type='address' address='127.0.0.1'/>
+    </graphics>
+    <video>
+      <model type='qxl' ram='65536' vram='18432' heads='1'/>
+    </video>
+    <memballoon model='virtio'/>
+  </devices>
+</domain>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 060acf29ba..b14e71384b 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -660,6 +660,14 @@ mymain(void)
             QEMU_CAPS_VGA, QEMU_CAPS_VGA_QXL,
             QEMU_CAPS_DEVICE, QEMU_CAPS_SPICE,
             QEMU_CAPS_DEVICE_QXL);
+    driver.config->spiceSASL = 1;
+    ignore_value(VIR_STRDUP(driver.config->spiceSASLdir, "/root/.sasl2"));
+    DO_TEST("graphics-spice-sasl",
+            QEMU_CAPS_VGA, QEMU_CAPS_VGA_QXL,
+            QEMU_CAPS_DEVICE, QEMU_CAPS_SPICE,
+            QEMU_CAPS_DEVICE_QXL);
+    VIR_FREE(driver.config->spiceSASLdir);
+    driver.config->spiceSASL = 0;
     DO_TEST("graphics-spice-agentmouse",
             QEMU_CAPS_VGA, QEMU_CAPS_VGA_QXL,
             QEMU_CAPS_DEVICE, QEMU_CAPS_SPICE,