---
layout: docs
page_title: AEAD - Configuration
description: |-
  The AEAD KMS configures AEAD-specific parameters.
---

# `aead` KMS

~> **Note:** This is mostly used for `dev` workflows or testing. The key will be exposed
to anyone that can view the configuration file. If using this KMS, consider
using `boundary config encrypt` to encrypt all but the `config` KMS and using an
external KMS for `config` purposes.

```hcl
kms "aead" {
	purpose = "worker-auth"
	aead_type = "aes-gcm"
	key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
	key_id = "global_worker-auth"
}
```

- `purpose` - Purpose of this KMS, acceptable values are: `worker-auth`, `worker-auth-storage`,
   `root`, `previous-root`, `recovery`, or `config`.

- `aead_type` - The type of encryption this KMS uses. Currently only `aes-gcm` is implemented.

- `key` - The base64-encoded 256-bit encryption key.

- `key_id` - The unique name of this key.