diff --git a/AWS.md b/AWS.md
index e897015..77eacb0 100644
--- a/AWS.md
+++ b/AWS.md
@@ -14,6 +14,11 @@ and "letsencrypt-certs.MYWEBSITE.com" to store files, and gives access to two ho
 {
     "Version": "2012-10-17",
     "Statement": [
+        {
+		"Effect": "Allow",
+		"Action": [ "kms:Decrypt", "kms:Encrypt" ],
+		"Resource": "arn:aws:kms:REGION:999999999999:key/01234567-890a-bcde-f012-3456789abcde"
+        },
         {
             "Effect": "Allow",
             "Action": [
@@ -59,6 +64,9 @@ and "letsencrypt-certs.MYWEBSITE.com" to store files, and gives access to two ho
 }
 ```
 
+## AWS KMS
+The role used by Lambda will also need to be added to Key Users on the KMS key referenced in its IAM Policy.
+
 ## Lambda Execution
 The Lambda function needs to run periodically as a scheduled function, preferably
 every day or perhaps every few days.
diff --git a/README.md b/README.md
index 2a53312..c45e7d6 100644
--- a/README.md
+++ b/README.md
@@ -26,6 +26,7 @@ your environment:
 | :--------------------- |:--------------|
 | `acme-directory-url`            | Change to production url - https://acme-v01.api.letsencrypt.org if ready for real certificate.  |
 | `acme-account-email`            | Email of user requesting certificate.  |
+| `kms-key`                       | A fully qualified AWS KMS key ARN that will be used to encrypt the files stored in the buckets. |
 | `s3-account-bucket`            | An S3 bucket to place account keys/config data into. You will need to create this bucket and assign the [IAM role](AWS.md) to read/write.  |
 | `s3-cert-bucket`            | An S3 bucket to place domain certificate data into. You will need to create this bucket and assign the [IAM role](AWS.md) to read/write.  |
 | `s3-folder`            | A folder within the above buckets to place the files under, in case there are other contents of these buckets.  |
diff --git a/config/default.json b/config/default.json
index cba9985..9235a5c 100644
--- a/config/default.json
+++ b/config/default.json
@@ -1,4 +1,5 @@
 {
+  "kms-key": "<your-aws-kms-key>",
   "s3-account-bucket": "<your-s3-account-config-bucket>",
   "s3-cert-bucket": "<your-s3-ssl-cert-bucket>",
   "s3-folder": "<folder-under-bucket>",
diff --git a/src/acme/certify/createCertificate.js b/src/acme/certify/createCertificate.js
index 2d3de5c..2169f0f 100644
--- a/src/acme/certify/createCertificate.js
+++ b/src/acme/certify/createCertificate.js
@@ -6,6 +6,7 @@ const saveFile = require('../../aws/s3/saveFile')
 
 const saveCertificate = (data) =>
   saveFile(
+    config['kms-key'],
     config['s3-cert-bucket'],
     config['s3-folder'],
     `${data.key}.json`,
diff --git a/src/acme/register/createAccount.js b/src/acme/register/createAccount.js
index 83d1faf..6d7f7f1 100644
--- a/src/acme/register/createAccount.js
+++ b/src/acme/register/createAccount.js
@@ -10,6 +10,7 @@ const saveAccount = (data) => {
     'agreement': data.agreement
   }
   return saveFile(
+    config['kms-key'],
     config['s3-account-bucket'],
     config['s3-folder'],
     config['acme-account-file'],
diff --git a/src/aws/s3/saveFile.js b/src/aws/s3/saveFile.js
index a9fce46..b05483c 100644
--- a/src/aws/s3/saveFile.js
+++ b/src/aws/s3/saveFile.js
@@ -1,9 +1,11 @@
 const getS3 = require('../sdk/getS3')
 
-const saveFile = (bucket, siteId, fileName, fileData, options) =>
+const saveFile = (kmskey, bucket, siteId, fileName, fileData, options) =>
   getS3().putObject(Object.assign({
     Bucket: bucket,
     Key: `${siteId}/${fileName}`,
+    ServerSideEncryption: "aws:kms",
+    SSEKMSKeyId: ${kmskey},
     Body: new Buffer(fileData)
   }, options)).promise()
   .catch((e) => {