The SessionBundle stores encrypted credentials, and those credentials will be encrypted using the SessionEncryptionKey if provided, otherwise a default hardcoded key is used. The SessionBundle is created by a Login call (whether performed explicitly or implicitly by the framework), and then passed as part of the message in all subsequent calls.
The encryption key is actually used to generated a salted hash key, which is then used to encrypt the credentials using AES. The default hardcoded key can be obtained from the DevForce assemblies using a disassembler, which is why you might want to specify your own SessionEncryptionKey.
Since encryption is done only on the credentials, if you need to secure the entire message you should use SSL or customize the binding stack to add security features.