From 547e7a5970e9baf0e3707b414091f6196d36fccf Mon Sep 17 00:00:00 2001
From: Irena Rindos <irenarindos@users.noreply.github.com>
Date: Fri, 26 Aug 2022 13:08:18 -0400
Subject: [PATCH] docs(workers): add documentation for pki worker cred
 encryption (#2397)

* docs(workers): add documentation for pki worker cred encryption
---
 .../docs/configuration/worker/pki-worker.mdx  | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/website/content/docs/configuration/worker/pki-worker.mdx b/website/content/docs/configuration/worker/pki-worker.mdx
index 4fbe987da9..09398288fa 100644
--- a/website/content/docs/configuration/worker/pki-worker.mdx
+++ b/website/content/docs/configuration/worker/pki-worker.mdx
@@ -22,6 +22,19 @@ worker {
 }
 ```
 
+## KMS Configuration
+PKI Workers credentials can be encrypted by including an optional KMS stanza with the purpose `worker-auth-storage`.
+
+Example (not safe for production!):
+```hcl
+kms "aead" {
+  purpose = "worker-auth-storage"
+	aead_type = "aes-gcm"
+	key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
+	key_id = "worker-auth-storage"
+}
+```
+
 ~> **Note:** `name` and `description` fields are not valid config fields for PKI
 workers. These fields are only valid for [KMS Workers][]. `name` and
 `description` can only be set for PKI workers through the API.
@@ -54,6 +67,15 @@ worker {
   }
 }
 
+# The following KMS config is an example only
+# Use a production KMS such as AWS KMS for production installs
+kms "aead" {
+  purpose = "worker-auth-storage"
+	aead_type = "aes-gcm"
+	key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
+	key_id = "worker-auth-storage"
+}
+
 
 ```
 [kms workers]: /docs/configuration/worker/kms-worker