# How do I get started with server-side encryption?
<a name="getting-started-with-sse"></a>

The easiest way to get started with server-side encryption is to use the AWS Management Console and the Amazon Kinesis KMS Service Key, `aws/kinesis`.

The following procedure demonstrates how to enable server-side encryption for a Kinesis stream.

**To enable server-side encryption for a Kinesis stream**

1. Sign in to the AWS Management Console and open the [Amazon Kinesis Data Streams console](http://console.aws.amazon.com/kinesis/home?region=us-east-1#/streams/list).

1. Create or select a Kinesis stream in the AWS Management Console.

1. Choose the **details** tab.

1. In **Server-side encryption**, choose **edit**.

1. Unless you want to use a user-generated KMS master key, ensure the **(Default) aws/kinesis** KMS master key is selected. This is the KMS master key generated by the Kinesis service. Choose **Enabled**, and then choose **Save**. 
**Note**  
The default Kinesis service master key is free, however, the API calls made by Kinesis to the AWS KMS service are subject to KMS usage costs. 

1. The stream transitions through a **pending** state. After the stream returns to an **active** state with encryption enabled, all incoming data written to the stream is encrypted using the KMS master key you selected.

1. To disable server-side encryption, choose **Disabled** in **Server-side encryption** in the AWS Management Console, and then choose **Save**.