diff --git a/.gitignore b/.gitignore
index e61a56bde..cf88895a3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,3 +9,4 @@ backupmeta
 coverage.txt
 docker/data/
 docker/logs/
+*.swp
diff --git a/go.mod b/go.mod
index 5d3251f08..5933df09b 100644
--- a/go.mod
+++ b/go.mod
@@ -21,7 +21,7 @@ require (
 	github.com/onsi/gomega v1.8.1 // indirect
 	github.com/pingcap/check v0.0.0-20200212061837-5e12011dc712
 	github.com/pingcap/errors v0.11.5-0.20190809092503-95897b64e011
-	github.com/pingcap/kvproto v0.0.0-20200330093347-98f910b71904
+	github.com/pingcap/kvproto v0.0.0-20200423024253-3500763f0214
 	github.com/pingcap/log v0.0.0-20200117041106-d28c14d3b1cd
 	github.com/pingcap/parser v0.0.0-20200326020624-68d423641be5
 	github.com/pingcap/pd/v4 v4.0.0-beta.1.0.20200305072537-61d9f9cc35d3
diff --git a/go.sum b/go.sum
index 06ea01c73..4c72a4dd7 100644
--- a/go.sum
+++ b/go.sum
@@ -365,6 +365,8 @@ github.com/pingcap/kvproto v0.0.0-20200214064158-62d31900d88e/go.mod h1:IOdRDPLy
 github.com/pingcap/kvproto v0.0.0-20200221034943-a2aa1d1e20a8/go.mod h1:IOdRDPLyda8GX2hE/jO7gqaCV/PNFh8BZQCQZXfIOqI=
 github.com/pingcap/kvproto v0.0.0-20200330093347-98f910b71904 h1:pMFUXvhJ62hX8m0Q4RsL7L+hSW1mAMG26So5eFMoAtI=
 github.com/pingcap/kvproto v0.0.0-20200330093347-98f910b71904/go.mod h1:IOdRDPLyda8GX2hE/jO7gqaCV/PNFh8BZQCQZXfIOqI=
+github.com/pingcap/kvproto v0.0.0-20200423024253-3500763f0214 h1:UfGPQQ1EANWEk8e/11fYjo7E1K98c6+WDT4q5k5R3Ko=
+github.com/pingcap/kvproto v0.0.0-20200423024253-3500763f0214/go.mod h1:IOdRDPLyda8GX2hE/jO7gqaCV/PNFh8BZQCQZXfIOqI=
 github.com/pingcap/log v0.0.0-20191012051959-b742a5d432e9 h1:AJD9pZYm72vMgPcQDww9rkZ1DnWfl0pXV3BOWlkYIjA=
 github.com/pingcap/log v0.0.0-20191012051959-b742a5d432e9/go.mod h1:4rbK1p9ILyIfb6hU7OG2CiWSqMXnp3JMbiaVJ6mvoY8=
 github.com/pingcap/log v0.0.0-20200117041106-d28c14d3b1cd h1:CV3VsP3Z02MVtdpTMfEgRJ4T9NGgGTxdHpJerent7rM=
diff --git a/pkg/storage/s3.go b/pkg/storage/s3.go
index bf24b9a2b..00107e2b9 100644
--- a/pkg/storage/s3.go
+++ b/pkg/storage/s3.go
@@ -24,7 +24,8 @@ const (
 	s3EndpointOption     = "s3.endpoint"
 	s3RegionOption       = "s3.region"
 	s3StorageClassOption = "s3.storage-class"
-	s3SSEOption          = "s3.sse"
+	s3SseOption          = "s3.sse"
+	s3SseKmsKeyIDOption  = "s3.sse-kms-key-id"
 	s3ACLOption          = "s3.acl"
 	s3ProviderOption     = "s3.provider"
 	notFound             = "NotFound"
@@ -53,7 +54,8 @@ type S3BackendOptions struct {
 	Endpoint              string `json:"endpoint" toml:"endpoint"`
 	Region                string `json:"region" toml:"region"`
 	StorageClass          string `json:"storage-class" toml:"storage-class"`
-	SSE                   string `json:"sse" toml:"sse"`
+	Sse                   string `json:"sse" toml:"sse"`
+	SseKmsKeyID           string `json:"sse-kms-key-id" toml:"sse-kms-key-id"`
 	ACL                   string `json:"acl" toml:"acl"`
 	AccessKey             string `json:"access-key" toml:"access-key"`
 	SecretAccessKey       string `json:"secret-access-key" toml:"secret-access-key"`
@@ -95,7 +97,8 @@ func (options *S3BackendOptions) apply(s3 *backup.S3) error {
 	s3.Region = options.Region
 	// StorageClass, SSE and ACL are acceptable to be empty
 	s3.StorageClass = options.StorageClass
-	s3.Sse = options.SSE
+	s3.Sse = options.Sse
+	s3.SseKmsKeyId = options.SseKmsKeyID
 	s3.Acl = options.ACL
 	s3.AccessKey = options.AccessKey
 	s3.SecretAccessKey = options.SecretAccessKey
@@ -109,7 +112,9 @@ func defineS3Flags(flags *pflag.FlagSet) {
 		"(experimental) Set the S3 endpoint URL, please specify the http or https scheme explicitly")
 	flags.String(s3RegionOption, "", "(experimental) Set the S3 region, e.g. us-east-1")
 	flags.String(s3StorageClassOption, "", "(experimental) Set the S3 storage class, e.g. STANDARD")
-	flags.String(s3SSEOption, "", "(experimental) Set the S3 server-side encryption algorithm, e.g. AES256")
+	flags.String(s3SseOption, "", "Set S3 server-side encryption, e.g. aws:kms")
+	flags.String(s3SseKmsKeyIDOption, "", "KMS CMK key id to use with S3 server-side encryption."+
+		"Leave empty to use S3 owned key.")
 	flags.String(s3ACLOption, "", "(experimental) Set the S3 canned ACLs, e.g. authenticated-read")
 	flags.String(s3ProviderOption, "", "(experimental) Set the S3 provider, e.g. aws, alibaba, ceph")
 }
@@ -124,7 +129,11 @@ func (options *S3BackendOptions) parseFromFlags(flags *pflag.FlagSet) error {
 	if err != nil {
 		return errors.Trace(err)
 	}
-	options.SSE, err = flags.GetString(s3SSEOption)
+	options.Sse, err = flags.GetString(s3SseOption)
+	if err != nil {
+		return errors.Trace(err)
+	}
+	options.SseKmsKeyID, err = flags.GetString(s3SseKmsKeyIDOption)
 	if err != nil {
 		return errors.Trace(err)
 	}
@@ -224,6 +233,9 @@ func (rs *S3Storage) Write(ctx context.Context, file string, data []byte) error
 	if rs.options.Sse != "" {
 		input = input.SetServerSideEncryption(rs.options.Sse)
 	}
+	if rs.options.SseKmsKeyId != "" {
+		input = input.SetSSEKMSKeyId(rs.options.SseKmsKeyId)
+	}
 	if rs.options.StorageClass != "" {
 		input = input.SetStorageClass(rs.options.StorageClass)
 	}