diff --git a/conf/tikv.yml b/conf/tikv.yml
index 2310530a9..de02a26c4 100644
--- a/conf/tikv.yml
+++ b/conf/tikv.yml
@@ -546,6 +546,68 @@ raftdb:
     # optimize-filters-for-hits: true
 
 security:
+  ## The path for TLS certificates. Empty string means disabling secure connections.
+  # ca-path: ""
+  # cert-path: ""
+  # key-path: ""
+  # cert-allowed-cn: []
+
+  ## Configurations for encryption at rest. Experimental.
+  encryption:
+    ## Encryption method to use for data files.
+    ## Possible values are "plaintext", "aes128-ctr", "aes192-ctr" and "aes256-ctr". Value other than
+    ## "plaintext" means encryption is enabled, in which case master key must be specified.
+    # data-encryption-method: "plaintext"
+    
+    ## Specifies how often TiKV rotates data encryption key.
+    # data-key-rotation-period = "7d"
+    
+    ## Specifies master key if encryption is enabled. There are three types of master key:
+    ##
+    ##   * "plaintext":
+    ##
+    ##     Plaintext as master key means no master key is given and only applicable when
+    ##     encryption is not enabled, i.e. data-encryption-method = "plaintext". This type doesn't
+    ##     have sub-config items. Example:
+    ##     
+    ##     master-key:
+    ##       type: "plaintext"
+    ##
+    ##   * "kms":
+    ##
+    ##     Use a KMS service to supply master key. Currently only AWS KMS is supported. This type of
+    ##     master key is recommended for production use. Example:
+    ##
+    ##     master-key:
+    ##       type: "kms"
+    ##       ## KMS CMK key id. Must be a valid KMS CMK where the TiKV process has access to.
+    ##       ## In production is recommended to grant access of the CMK to TiKV using IAM.
+    ##       key-id = "1234abcd-12ab-34cd-56ef-1234567890ab"
+    ##       ## AWS region of the KMS CMK.
+    ##       region: "us-west-2"
+    ##       ## (Optional) AWS KMS service endpoint. Only required when non-default KMS endpoint is
+    ##       ## desired.
+    ##       endpoint: "https://kms.us-west-2.amazonaws.com"
+    ##
+    ##   * "file":
+    ##
+    ##     Supply a custom encryption key stored in a file. It is recommended NOT to use in production,
+    ##     as it breaks the purpose of encryption at rest, unless the file is stored in tempfs.
+    ##     The file must contain a 256-bits (32 bytes, regardless of key length implied by 
+    ##     data-encryption-method) key encoded as hex string and end with newline ("\n"). Example:
+    ##
+    ##     master-key:
+    ##       type: "file"
+    ##       path: "/path/to/master/key/file"
+    ##
+    master-key:
+      # type = "plaintext"
+    
+    ## Specifies the old master key when rotating master key. Same config format as master-key.
+    ## The key is only access once during TiKV startup, after that TiKV do not need access to the key.
+    ## And it is okay to leave the stale previous-master-key config after master key rotation.
+    previous-master-key:
+      # type: "plaintext"
 
 import:
 
diff --git a/roles/tikv/templates/tikv.toml.j2 b/roles/tikv/templates/tikv.toml.j2
index 13c51f9a9..7ca86d5cd 100644
--- a/roles/tikv/templates/tikv.toml.j2
+++ b/roles/tikv/templates/tikv.toml.j2
@@ -97,8 +97,24 @@
 {% endfor %}
 
 [security]
-{% for item, value in tikv_conf.security | dictsort -%}
+{% for item, value in tikv_conf.security | dictsort_by_value_type -%}
+{% if value is not mapping -%}
 {{ item }} = {{ value | to_json }}
+{% else %}
+
+[security.{{ item }}]
+{% for sub_item, sub_value in value | dictsort_by_value_type -%}
+{% if sub_value is not mapping -%}
+{{ sub_item }} = {{ sub_value | to_json }}
+{% else %}
+
+[security.{{ item }}.{{sub_item}}]
+{% for sub_sub_item, sub_sub_value in sub_value | dictsort -%}
+{{ sub_sub_item }} = {{ sub_sub_value | to_json }}
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endif %}
 {% endfor %}
 
 [import]
diff --git a/roles/tikv/vars/default.yml b/roles/tikv/vars/default.yml
index ba306c2dd..d76248f49 100644
--- a/roles/tikv/vars/default.yml
+++ b/roles/tikv/vars/default.yml
@@ -542,6 +542,68 @@ raftdb:
     # optimize-filters-for-hits: true
 
 security:
+  ## The path for TLS certificates. Empty string means disabling secure connections.
+  # ca-path: ""
+  # cert-path: ""
+  # key-path: ""
+  # cert-allowed-cn: []
+
+  ## Configurations for encryption at rest. Experimental.
+  encryption:
+    ## Encryption method to use for data files.
+    ## Possible values are "plaintext", "aes128-ctr", "aes192-ctr" and "aes256-ctr". Value other than
+    ## "plaintext" means encryption is enabled, in which case master key must be specified.
+    # data-encryption-method: "plaintext"
+    
+    ## Specifies how often TiKV rotates data encryption key.
+    # data-key-rotation-period = "7d"
+    
+    ## Specifies master key if encryption is enabled. There are three types of master key:
+    ##
+    ##   * "plaintext":
+    ##
+    ##     Plaintext as master key means no master key is given and only applicable when
+    ##     encryption is not enabled, i.e. data-encryption-method = "plaintext". This type doesn't
+    ##     have sub-config items. Example:
+    ##     
+    ##     master-key:
+    ##       type: "plaintext"
+    ##
+    ##   * "kms":
+    ##
+    ##     Use a KMS service to supply master key. Currently only AWS KMS is supported. This type of
+    ##     master key is recommended for production use. Example:
+    ##
+    ##     master-key:
+    ##       type: "kms"
+    ##       ## KMS CMK key id. Must be a valid KMS CMK where the TiKV process has access to.
+    ##       ## In production is recommended to grant access of the CMK to TiKV using IAM.
+    ##       key-id = "1234abcd-12ab-34cd-56ef-1234567890ab"
+    ##       ## AWS region of the KMS CMK.
+    ##       region: "us-west-2"
+    ##       ## (Optional) AWS KMS service endpoint. Only required when non-default KMS endpoint is
+    ##       ## desired.
+    ##       endpoint: "https://kms.us-west-2.amazonaws.com"
+    ##
+    ##   * "file":
+    ##
+    ##     Supply a custom encryption key stored in a file. It is recommended NOT to use in production,
+    ##     as it breaks the purpose of encryption at rest, unless the file is stored in tempfs.
+    ##     The file must contain a 256-bits (32 bytes, regardless of key length implied by 
+    ##     data-encryption-method) key encoded as hex string and end with newline ("\n"). Example:
+    ##
+    ##     master-key:
+    ##       type: "file"
+    ##       path: "/path/to/master/key/file"
+    ##
+    master-key:
+      # type = "plaintext"
+    
+    ## Specifies the old master key when rotating master key. Same config format as master-key.
+    ## The key is only access once during TiKV startup, after that TiKV do not need access to the key.
+    ## And it is okay to leave the stale previous-master-key config after master key rotation.
+    previous-master-key:
+      # type: "plaintext"
 
 import: