diff --git a/doc/administration/object_storage.md b/doc/administration/object_storage.md
index 9f720fb680a2bdf7273e4c729526702bfd2ef886..c6490e365a545e012421170f8e9496a2c5bf97f8 100644
--- a/doc/administration/object_storage.md
+++ b/doc/administration/object_storage.md
@@ -281,6 +281,9 @@ The service account must have permission to access the bucket. Learn more
 in Google's
 [Cloud Storage authentication documentation](https://cloud.google.com/storage/docs/authentication).
 
+NOTE:
+Bucket encryption with the [Cloud Key Management Service (KMS)](https://cloud.google.com/kms/docs) is not supported and will result in [ETag mismatch errors](#etag-mismatch).
+
 ##### Google example (consolidated form)
 
 For Omnibus installations, this is an example of the `connection` setting:
@@ -682,6 +685,8 @@ With the consolidated object configuration and instance profile, Workhorse has
 S3 credentials so that it can compute the `Content-MD5` header. This
 eliminates the need to compare ETag headers returned from the S3 server.
 
+Encrypting buckets with GCS' [Cloud Key Management Service (KMS)](https://cloud.google.com/kms/docs) is not supported and will result in ETag mismatch errors.
+
 ### Using Amazon instance profiles
 
 Instead of supplying AWS access and secret keys in object storage