diff --git a/INSTALL.md b/INSTALL.md
index 01ad69a17b..ae47e4d269 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -1083,7 +1083,10 @@ See manual pages OSSL_trace_set_channel(3) and OSSL_trace_enabled(3) for details
 Build with support for the SSLKEYLOGFILE environment variable
 
 When enabled, setting SSLKEYLOGFILE to a file path records the keys exchanged
-during a TLS handshake for use in analysis tools like wireshark.
+during a TLS handshake for use in analysis tools like wireshark.  Note that the
+use of this mechanism allows for decryption of application payloads found in
+captured packets using keys from the key log file.  See Section 3 of 
+[the draft standard for SSLKEYLOGFILE](https://datatracker.ietf.org/doc/draft-thomson-tls-keylogfile/)
 
 ### no-ts
 
diff --git a/doc/man7/openssl-env.pod b/doc/man7/openssl-env.pod
index b10ced0876..78043d5bd6 100644
--- a/doc/man7/openssl-env.pod
+++ b/doc/man7/openssl-env.pod
@@ -194,7 +194,11 @@ Used to produce the standard format output file for SSL key logging.  Optionally
 set this variable to a filename to log all secrets produced by SSL connections.
 Note, use of the environment variable is predicated on configuring OpenSSL at
 build time with the enable-sslkeylog feature.  The file format standard can be
-found at L<https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/>
+found at L<https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/>.
+Note: the use of B<SSLKEYLOGFILE> poses an explicit security risk.  By recording
+the exchanged keys during an SSL session, it allows any available party with
+read access to the file to decrypt application traffic sent over that session.
+Use of this feature should be restricted to test and debug environments only.
 
 =back