diff --git a/man/NetworkManager.conf.xml b/man/NetworkManager.conf.xml
index a6614e3393..38d87fff87 100644
--- a/man/NetworkManager.conf.xml
+++ b/man/NetworkManager.conf.xml
@@ -527,9 +527,11 @@ unmanaged-devices=mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth
           <para>
           In general, the logfile should not contain passwords or private data. However,
           you are always advised to check the file before posting it online or attaching
-          to a bug report. <literal>VPN_PLUGIN</literal> is special in that it might
-          reveal private information from the VPN plugins and thus this level is excluded
-          from <literal>ALL</literal></para>
+          to a bug report. <literal>VPN_PLUGIN</literal> is special as it might reveal
+          private information of the VPN plugins with verbose levels. Therefore this domain
+          will be excluded when setting <literal>ALL</literal> or <literal>DEFAULT</literal>
+          to more verbose levels then <literal>INFO</literal>.
+          </para>
         </varlistentry>
         <varlistentry>
           <term><varname>backend</varname></term>
diff --git a/src/nm-logging.c b/src/nm-logging.c
index e3eaf52b27..15e1492876 100644
--- a/src/nm-logging.c
+++ b/src/nm-logging.c
@@ -108,7 +108,10 @@ typedef struct {
 } LogLevelDesc;
 
 NMLogDomain _nm_logging_enabled_state[_LOGL_N_REAL] = {
-	/* nm_logging_setup ("INFO", LOGD_DEFAULT_STRING, NULL, NULL); */
+	/* nm_logging_setup ("INFO", LOGD_DEFAULT_STRING, NULL, NULL);
+	 *
+	 * Note: LOGD_VPN_PLUGIN is special and must be disabled for
+	 * DEBUG and TRACE levels. */
 	[LOGL_INFO] = LOGD_DEFAULT,
 	[LOGL_WARN] = LOGD_DEFAULT,
 	[LOGL_ERR]  = LOGD_DEFAULT,
@@ -263,6 +266,11 @@ nm_logging_setup (const char  *level,
 		NMLogDomain bits;
 		char *p;
 
+		/* LOGD_VPN_PLUGIN is protected, that is, when setting ALL or DEFAULT,
+		 * it does not enable the verbose levels DEBUG and TRACE, because that
+		 * may expose sensitive data. */
+		NMLogDomain protect = LOGD_NONE;
+
 		if (!strlen (*iter))
 			continue;
 
@@ -279,11 +287,13 @@ nm_logging_setup (const char  *level,
 		bits = 0;
 
 		/* Check for combined domains */
-		if (!g_ascii_strcasecmp (*iter, LOGD_ALL_STRING))
+		if (!g_ascii_strcasecmp (*iter, LOGD_ALL_STRING)) {
 			bits = LOGD_ALL;
-		else if (!g_ascii_strcasecmp (*iter, LOGD_DEFAULT_STRING))
+			protect = LOGD_VPN_PLUGIN;
+		} else if (!g_ascii_strcasecmp (*iter, LOGD_DEFAULT_STRING)) {
 			bits = LOGD_DEFAULT;
-		else if (!g_ascii_strcasecmp (*iter, LOGD_DHCP_STRING))
+			protect = LOGD_VPN_PLUGIN;
+		} else if (!g_ascii_strcasecmp (*iter, LOGD_DHCP_STRING))
 			bits = LOGD_DHCP;
 		else if (!g_ascii_strcasecmp (*iter, LOGD_IP_STRING))
 			bits = LOGD_IP;
@@ -325,8 +335,12 @@ nm_logging_setup (const char  *level,
 			for (i = 0; i < G_N_ELEMENTS (new_logging); i++) {
 				if (i < domain_log_level)
 					new_logging[i] &= ~bits;
-				else
+				else {
 					new_logging[i] |= bits;
+					if (   protect
+					    && i < LOGL_INFO)
+						new_logging[i] &= ~protect;
+				}
 			}
 		}
 	}
diff --git a/src/nm-logging.h b/src/nm-logging.h
index e3289b7039..655f675465 100644
--- a/src/nm-logging.h
+++ b/src/nm-logging.h
@@ -68,9 +68,7 @@ typedef enum  { /*< skip >*/
 	LOGD_VPN_PLUGIN = (1LL << 36),
 
 	__LOGD_MAX,
-	LOGD_ALL       = (((__LOGD_MAX - 1LL) << 1) - 1LL) & ~(
-	                                                       LOGD_VPN_PLUGIN | /*not even part of ALL, because it might expose sensitive information. */
-	                                                       0),
+	LOGD_ALL       = (((__LOGD_MAX - 1LL) << 1) - 1LL),
 	LOGD_DEFAULT   = LOGD_ALL & ~(
 	                              LOGD_DBUS_PROPS |
 	                              LOGD_WIFI_SCAN |
