diff --git a/mesh.options b/mesh.options
index 86a5ac7..ab62650 100644
--- a/mesh.options
+++ b/mesh.options
@@ -29,6 +29,11 @@
 
 *DebugString.message max_size:256
 
+# Note: the actual limit (because of header bytes) on the size of encrypted payloads is 251 bytes, but I use 256
+# here because we might need to fill with zeros for padding to encryption block size (16 bytes per block)
+*MeshPacket.encrypted max_size:256
+*MeshPacket.payload anonymous_oneof:true
+
 # MyMessage.name         max_size:40 
 # or fixed_length or fixed_count, or max_count
 
diff --git a/mesh.proto b/mesh.proto
index 616abe7..7775581 100644
--- a/mesh.proto
+++ b/mesh.proto
@@ -228,7 +228,22 @@ message MeshPacket {
   */
   int32 to = 2;
 
-  SubPacket payload = 3;
+  /**
+  Internally to the mesh radios we will route SubPackets encrypted per 
+  docs/software/crypto.md.  However, when a particular node has the correct
+  key to decode a particular packet, it will decode the payload into a SubPacket
+  protobuf structure.  
+
+  Software outside of the device nodes will never encounter a packet where "decoded"
+  is not populated (i.e. any encryption/decryption happens before reaching the applications)
+
+  The numeric IDs for these fields were selected to keep backwards compatibility with old
+  applications.
+  */
+  oneof payload { 
+    SubPacket decoded = 3;
+    bytes encrypted = 8;
+   }
 
   /// The time this message was received by the esp32 (secs since 1970).  Note:
   /// this field is _never_ sent on the radio link itself (to save space) Times