diff --git a/contrib/completions/bash/openshift b/contrib/completions/bash/openshift
index c6b0c4529c1c..bd04398abbdb 100644
--- a/contrib/completions/bash/openshift
+++ b/contrib/completions/bash/openshift
@@ -34800,6 +34800,8 @@ _openshift_start_kubernetes_apiserver()
     local_nonpersistent_flags+=("--event-ttl=")
     flags+=("--experimental-bootstrap-token-auth")
     local_nonpersistent_flags+=("--experimental-bootstrap-token-auth")
+    flags+=("--experimental-encryption-provider-config=")
+    local_nonpersistent_flags+=("--experimental-encryption-provider-config=")
     flags+=("--experimental-keystone-ca-file=")
     local_nonpersistent_flags+=("--experimental-keystone-ca-file=")
     flags+=("--experimental-keystone-url=")
diff --git a/contrib/completions/zsh/openshift b/contrib/completions/zsh/openshift
index 26944cd9d7dc..29ddad4099c0 100644
--- a/contrib/completions/zsh/openshift
+++ b/contrib/completions/zsh/openshift
@@ -34949,6 +34949,8 @@ _openshift_start_kubernetes_apiserver()
     local_nonpersistent_flags+=("--event-ttl=")
     flags+=("--experimental-bootstrap-token-auth")
     local_nonpersistent_flags+=("--experimental-bootstrap-token-auth")
+    flags+=("--experimental-encryption-provider-config=")
+    local_nonpersistent_flags+=("--experimental-encryption-provider-config=")
     flags+=("--experimental-keystone-ca-file=")
     local_nonpersistent_flags+=("--experimental-keystone-ca-file=")
     flags+=("--experimental-keystone-url=")
diff --git a/vendor/k8s.io/kubernetes/cmd/kube-apiserver/app/server.go b/vendor/k8s.io/kubernetes/cmd/kube-apiserver/app/server.go
index 59ff11095c49..409d65b0e05b 100644
--- a/vendor/k8s.io/kubernetes/cmd/kube-apiserver/app/server.go
+++ b/vendor/k8s.io/kubernetes/cmd/kube-apiserver/app/server.go
@@ -49,6 +49,7 @@ import (
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	"k8s.io/apiserver/pkg/server/filters"
+	"k8s.io/apiserver/pkg/server/options/encryptionconfig"
 	serverstorage "k8s.io/apiserver/pkg/server/storage"
 
 	"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
@@ -469,6 +470,16 @@ func BuildStorageFactory(s *options.ServerRunOptions) (*serverstorage.DefaultSto
 		storageFactory.SetEtcdLocation(groupResource, servers)
 	}
 
+	if s.Etcd.EncryptionProviderConfigFilepath != "" {
+		transformerOverrides, err := encryptionconfig.GetTransformerOverrides(s.Etcd.EncryptionProviderConfigFilepath)
+		if err != nil {
+			return nil, err
+		}
+		for groupResource, transformer := range transformerOverrides {
+			storageFactory.SetTransformer(groupResource, transformer)
+		}
+	}
+
 	return storageFactory, nil
 }
 
diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/server/options/etcd.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/server/options/etcd.go
index 780e99c911a0..bdaa0f2af674 100644
--- a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/server/options/etcd.go
+++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/server/options/etcd.go
@@ -30,7 +30,8 @@ import (
 )
 
 type EtcdOptions struct {
-	StorageConfig storagebackend.Config
+	StorageConfig                    storagebackend.Config
+	EncryptionProviderConfigFilepath string
 
 	EtcdServersOverrides []string
 
@@ -109,6 +110,9 @@ func (s *EtcdOptions) AddFlags(fs *pflag.FlagSet) {
 
 	fs.BoolVar(&s.StorageConfig.Quorum, "etcd-quorum-read", s.StorageConfig.Quorum,
 		"If true, enable quorum read.")
+
+	fs.StringVar(&s.EncryptionProviderConfigFilepath, "experimental-encryption-provider-config", s.EncryptionProviderConfigFilepath,
+		"The file containing configuration for encryption providers to be used for storing secrets in etcd")
 }
 
 func (s *EtcdOptions) ApplyTo(c *server.Config) error {
diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/server/storage/storage_factory.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/server/storage/storage_factory.go
index 98761f1827d8..83ad7ae28a97 100644
--- a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/server/storage/storage_factory.go
+++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/server/storage/storage_factory.go
@@ -25,6 +25,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apiserver/pkg/storage/storagebackend"
+	"k8s.io/apiserver/pkg/storage/value"
 )
 
 // StorageFactory is the interface to locate the storage for a given GroupResource
@@ -97,6 +98,8 @@ type groupResourceOverrides struct {
 	// decoderDecoratorFn is optional and may wrap the provided decoders (can add new decoders). The order of
 	// returned decoders will be priority for attempt to decode.
 	decoderDecoratorFn func([]runtime.Decoder) []runtime.Decoder
+	// transformer is optional and shall encrypt that resource at rest.
+	transformer value.Transformer
 }
 
 // Apply overrides the provided config and options if the override has a value in that position
@@ -120,6 +123,9 @@ func (o groupResourceOverrides) Apply(config *storagebackend.Config, options *St
 	if o.decoderDecoratorFn != nil {
 		options.DecoderDecoratorFn = o.decoderDecoratorFn
 	}
+	if o.transformer != nil {
+		config.Transformer = o.transformer
+	}
 }
 
 var _ StorageFactory = &DefaultStorageFactory{}
@@ -181,6 +187,12 @@ func (s *DefaultStorageFactory) SetSerializer(groupResource schema.GroupResource
 	s.Overrides[groupResource] = overrides
 }
 
+func (s *DefaultStorageFactory) SetTransformer(groupResource schema.GroupResource, transformer value.Transformer) {
+	overrides := s.Overrides[groupResource]
+	overrides.transformer = transformer
+	s.Overrides[groupResource] = overrides
+}
+
 // AddCohabitatingResources links resources together the order of the slice matters!  its the priority order of lookup for finding a storage location
 func (s *DefaultStorageFactory) AddCohabitatingResources(groupResources ...schema.GroupResource) {
 	for _, groupResource := range groupResources {