diff --git a/README.md b/README.md
index 927d4843..15806c78 100644
--- a/README.md
+++ b/README.md
@@ -536,8 +536,15 @@ after `pam_unix.so` in `/etc/pam.d/common-session` or similar, but before
 which starts processes that access the user's home directory during their
 session.
 
-To make `pam_fscrypt.so` print debugging messages to the system log, add the
-`debug` option.  All hook types accept this option.
+`pam_fscrypt.so` accepts several options:
+
+* `debug`: print additional debug messages to the syslog.  All hook types accept
+  this option.
+
+* `unlock_only`: only unlock directories (at log-in); don't also lock them (at
+  log-out).  This is only relevant for the "session" hook.  Note that in
+  `fscrypt` v0.2.9 and earlier, unlock-only was the default behavior, and
+  `lock_policies` needed to be specified to enable locking.
 
 ### Allowing `fscrypt` to check your login passphrase
 
diff --git a/pam_fscrypt/pam_fscrypt.go b/pam_fscrypt/pam_fscrypt.go
index 04ca13c8..bd6b04d3 100644
--- a/pam_fscrypt/pam_fscrypt.go
+++ b/pam_fscrypt/pam_fscrypt.go
@@ -55,9 +55,12 @@ const (
 	debugFlag = "debug"
 
 	// This option is accepted for compatibility with existing config files,
-	// but now we lock policies unconditionally and this option is a no-op.
+	// but now we lock policies by default and this option is a no-op.
 	lockPoliciesFlag = "lock_policies"
 
+	// Only unlock directories, don't lock them.
+	unlockOnlyFlag = "unlock_only"
+
 	// This option is accepted for compatibility with existing config files,
 	// but it no longer does anything.  pam_fscrypt now drops caches if and
 	// only if it is needed.  (Usually it is not needed anymore, as the
@@ -279,19 +282,21 @@ func CloseSession(handle *pam.Handle, args map[string]bool) error {
 	// Don't automatically drop privileges, since we may need them to
 	// deprovision policies or to drop caches.
 
-	log.Print("locking policies protected with login protector")
-	needDropCaches, errLock := lockLoginPolicies(handle)
-
-	var errCache error
-	if needDropCaches {
-		log.Print("dropping appropriate filesystem caches at session close")
-		errCache = security.DropFilesystemCache()
-	}
+	if !args[unlockOnlyFlag] {
+		log.Print("locking policies protected with login protector")
+		needDropCaches, errLock := lockLoginPolicies(handle)
 
-	if errLock != nil {
-		return errLock
+		var errCache error
+		if needDropCaches {
+			log.Print("dropping appropriate filesystem caches at session close")
+			errCache = security.DropFilesystemCache()
+		}
+		if errLock != nil {
+			return errLock
+		}
+		return errCache
 	}
-	return errCache
+	return nil
 }
 
 // lockLoginPolicies deprovisions all policy keys that are protected by the