diff --git a/website/content/docs/configuration/worker/pki-worker.mdx b/website/content/docs/configuration/worker/pki-worker.mdx
index 4fbe987da9..09398288fa 100644
--- a/website/content/docs/configuration/worker/pki-worker.mdx
+++ b/website/content/docs/configuration/worker/pki-worker.mdx
@@ -22,6 +22,19 @@ worker {
 }
 ```
 
+## KMS Configuration
+PKI Workers credentials can be encrypted by including an optional KMS stanza with the purpose `worker-auth-storage`.
+
+Example (not safe for production!):
+```hcl
+kms "aead" {
+  purpose = "worker-auth-storage"
+	aead_type = "aes-gcm"
+	key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
+	key_id = "worker-auth-storage"
+}
+```
+
 ~> **Note:** `name` and `description` fields are not valid config fields for PKI
 workers. These fields are only valid for [KMS Workers][]. `name` and
 `description` can only be set for PKI workers through the API.
@@ -54,6 +67,15 @@ worker {
   }
 }
 
+# The following KMS config is an example only
+# Use a production KMS such as AWS KMS for production installs
+kms "aead" {
+  purpose = "worker-auth-storage"
+	aead_type = "aes-gcm"
+	key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
+	key_id = "worker-auth-storage"
+}
+
 
 ```
 [kms workers]: /docs/configuration/worker/kms-worker