diff --git a/website/content/docs/concepts/security/data-encryption.mdx b/website/content/docs/concepts/security/data-encryption.mdx
index b3a7228246..29cd9a5cd1 100644
--- a/website/content/docs/concepts/security/data-encryption.mdx
+++ b/website/content/docs/concepts/security/data-encryption.mdx
@@ -105,6 +105,11 @@ $ boundary scopes list-key-version-destruction-jobs -scope-id p_A4jfDjZ9jf
 Once the job disappears from this list, the associated key version will have
 been destroyed and any existing data will have been re-encrypted.
 
+## The `bsr` KMS key <sup>HCP/ENT</sup>
+The `bsr` KMS key is required for [session recording](/boundary/docs/configuration/session-recording).
+If you do not add a `bsr` key to your controller configuration, you will receive an error when you attempt to enable session recording.
+The key is used for encrypting data and checking the integrity of recordings.
+
 ## The `previous-root` KMS key <sup>OSS Only</sup>
 
 The `previous-root` KMS key is used when migrating to a new `root` key. Adding
diff --git a/website/content/docs/configuration/session-recording/enable-session-recording.mdx b/website/content/docs/configuration/session-recording/enable-session-recording.mdx
index f7c90bb2c6..18d5b787c1 100644
--- a/website/content/docs/configuration/session-recording/enable-session-recording.mdx
+++ b/website/content/docs/configuration/session-recording/enable-session-recording.mdx
@@ -13,8 +13,11 @@ You use the storage bucket's ID to associate a target with the storage bucket.
 
 **Requirements**:
 
-- One or more storage buckets to store the recordings
+- One or more storage buckets to store the recordings.
 - Session recording is only supported for SSH targets at this time.
+- A KMS key with the purpose `bsr` must be added to the controller configuration.
+The key is used for encrypting data and checking the integrity of recordings.
+Refer to [Create the controller configuration](/boundary/docs/install-boundary/configure-controllers#create-the-controller-configuration) for more information about configuring a KMS block.
 - The targets must be configured with an ingress or egress worker filter that includes a worker with access to the storage bucket you created.
 Refer to [SSH target attributes](/boundary/docs/concepts/docmain-model/targets#ssh-target-attributes-hcp-ent) for more information.
 - You must enable injected application credentials on any target that you want to use for session recording.