diff --git a/hack/.golint_failures b/hack/.golint_failures
index 19c8badcf11..4f14f014fac 100644
--- a/hack/.golint_failures
+++ b/hack/.golint_failures
@@ -605,6 +605,7 @@ staging/src/k8s.io/apiserver/pkg/storage/storagebackend
 staging/src/k8s.io/apiserver/pkg/storage/testing
 staging/src/k8s.io/apiserver/pkg/storage/tests
 staging/src/k8s.io/apiserver/pkg/storage/value
+staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1
 staging/src/k8s.io/apiserver/pkg/util/feature
 staging/src/k8s.io/apiserver/pkg/util/flag
 staging/src/k8s.io/apiserver/pkg/util/proxy
diff --git a/hack/update-generated-kms-dockerized.sh b/hack/update-generated-kms-dockerized.sh
new file mode 100755
index 00000000000..82db74f6d5f
--- /dev/null
+++ b/hack/update-generated-kms-dockerized.sh
@@ -0,0 +1,62 @@
+#!/bin/bash
+
+# Copyright 2018 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+KUBE_ROOT=$(dirname "${BASH_SOURCE}")/..
+KUBE_REMOTE_RUNTIME_ROOT="${KUBE_ROOT}/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/"
+source "${KUBE_ROOT}/hack/lib/init.sh"
+
+kube::golang::setup_env
+
+BINS=(
+	vendor/k8s.io/code-generator/cmd/go-to-protobuf/protoc-gen-gogo
+)
+make -C "${KUBE_ROOT}" WHAT="${BINS[*]}"
+
+if [[ -z "$(which protoc)" || "$(protoc --version)" != "libprotoc 3."* ]]; then
+  echo "Generating protobuf requires protoc 3.0.0-beta1 or newer. Please download and"
+  echo "install the platform appropriate Protobuf package for your OS: "
+  echo
+  echo "  https://github.com/google/protobuf/releases"
+  echo
+  echo "WARNING: Protobuf changes are not being validated"
+  exit 1
+fi
+
+function cleanup {
+	rm -f ${KUBE_REMOTE_RUNTIME_ROOT}/service.pb.go.bak
+}
+
+trap cleanup EXIT
+
+gogopath=$(dirname $(kube::util::find-binary "protoc-gen-gogo"))
+
+PATH="${gogopath}:${PATH}" \
+  protoc \
+  --proto_path="${KUBE_REMOTE_RUNTIME_ROOT}" \
+  --proto_path="${KUBE_ROOT}/vendor" \
+  --gogo_out=plugins=grpc:${KUBE_REMOTE_RUNTIME_ROOT} ${KUBE_REMOTE_RUNTIME_ROOT}/service.proto
+
+# Update boilerplate for the generated file.
+echo "$(cat hack/boilerplate/boilerplate.go.txt ${KUBE_REMOTE_RUNTIME_ROOT}/service.pb.go)" > ${KUBE_REMOTE_RUNTIME_ROOT}/service.pb.go
+sed -i".bak" "s/Copyright YEAR/Copyright $(date '+%Y')/g" ${KUBE_REMOTE_RUNTIME_ROOT}/service.pb.go
+
+# Run gofmt to clean up the generated code.
+kube::golang::verify_go_version
+gofmt -l -s -w ${KUBE_REMOTE_RUNTIME_ROOT}/service.pb.go
diff --git a/hack/update-generated-kms.sh b/hack/update-generated-kms.sh
new file mode 100755
index 00000000000..95a0ee80ca3
--- /dev/null
+++ b/hack/update-generated-kms.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# Copyright 2018 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+KUBE_ROOT=$(dirname "${BASH_SOURCE}")/..
+
+# NOTE: All output from this script needs to be copied back to the calling
+# source tree.  This is managed in kube::build::copy_output in build/common.sh.
+# If the output set is changed update that function.
+
+${KUBE_ROOT}/build/run.sh hack/update-generated-kms-dockerized.sh "$@"
+
+# ex: ts=2 sw=2 et filetype=sh
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/BUILD b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/BUILD
index d45a85b373f..5fafc66b161 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/BUILD
+++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/BUILD
@@ -12,7 +12,7 @@ go_library(
     importpath = "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1",
     visibility = ["//visibility:public"],
     deps = [
-        "//vendor/github.com/golang/protobuf/proto:go_default_library",
+        "//vendor/github.com/gogo/protobuf/proto:go_default_library",
         "//vendor/golang.org/x/net/context:go_default_library",
         "//vendor/google.golang.org/grpc:go_default_library",
     ],
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/service.pb.go b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/service.pb.go
index 118d2e72faa..9e61bef00ac 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/service.pb.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/service.pb.go
@@ -1,5 +1,5 @@
 /*
-Copyright 2017 The Kubernetes Authors.
+Copyright 2018 The Kubernetes Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -14,8 +14,9 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Code generated by protoc-gen-go. DO NOT EDIT.
+// Code generated by protoc-gen-gogo.
 // source: service.proto
+// DO NOT EDIT!
 
 /*
 Package v1beta1 is a generated protocol buffer package.
@@ -33,7 +34,7 @@ It has these top-level messages:
 */
 package v1beta1
 
-import proto "github.com/golang/protobuf/proto"
+import proto "github.com/gogo/protobuf/proto"
 import fmt "fmt"
 import math "math"
 
@@ -51,17 +52,17 @@ var _ = math.Inf
 // is compatible with the proto package it is being compiled against.
 // A compilation error at this line likely means your copy of the
 // proto package needs to be updated.
-const _ = proto.ProtoPackageIsVersion2 // please upgrade the proto package
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
 
 type VersionRequest struct {
 	// Version of the KMS plugin API.
-	Version string `protobuf:"bytes,1,opt,name=version" json:"version,omitempty"`
+	Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"`
 }
 
 func (m *VersionRequest) Reset()                    { *m = VersionRequest{} }
 func (m *VersionRequest) String() string            { return proto.CompactTextString(m) }
 func (*VersionRequest) ProtoMessage()               {}
-func (*VersionRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{0} }
+func (*VersionRequest) Descriptor() ([]byte, []int) { return fileDescriptorService, []int{0} }
 
 func (m *VersionRequest) GetVersion() string {
 	if m != nil {
@@ -72,17 +73,17 @@ func (m *VersionRequest) GetVersion() string {
 
 type VersionResponse struct {
 	// Version of the KMS plugin API.
-	Version string `protobuf:"bytes,1,opt,name=version" json:"version,omitempty"`
+	Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"`
 	// Name of the KMS provider.
-	RuntimeName string `protobuf:"bytes,2,opt,name=runtime_name,json=runtimeName" json:"runtime_name,omitempty"`
+	RuntimeName string `protobuf:"bytes,2,opt,name=runtime_name,json=runtimeName,proto3" json:"runtime_name,omitempty"`
 	// Version of the KMS provider. The string must be semver-compatible.
-	RuntimeVersion string `protobuf:"bytes,3,opt,name=runtime_version,json=runtimeVersion" json:"runtime_version,omitempty"`
+	RuntimeVersion string `protobuf:"bytes,3,opt,name=runtime_version,json=runtimeVersion,proto3" json:"runtime_version,omitempty"`
 }
 
 func (m *VersionResponse) Reset()                    { *m = VersionResponse{} }
 func (m *VersionResponse) String() string            { return proto.CompactTextString(m) }
 func (*VersionResponse) ProtoMessage()               {}
-func (*VersionResponse) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{1} }
+func (*VersionResponse) Descriptor() ([]byte, []int) { return fileDescriptorService, []int{1} }
 
 func (m *VersionResponse) GetVersion() string {
 	if m != nil {
@@ -107,7 +108,7 @@ func (m *VersionResponse) GetRuntimeVersion() string {
 
 type DecryptRequest struct {
 	// Version of the KMS plugin API.
-	Version string `protobuf:"bytes,1,opt,name=version" json:"version,omitempty"`
+	Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"`
 	// The data to be decrypted.
 	Cipher []byte `protobuf:"bytes,2,opt,name=cipher,proto3" json:"cipher,omitempty"`
 }
@@ -115,7 +116,7 @@ type DecryptRequest struct {
 func (m *DecryptRequest) Reset()                    { *m = DecryptRequest{} }
 func (m *DecryptRequest) String() string            { return proto.CompactTextString(m) }
 func (*DecryptRequest) ProtoMessage()               {}
-func (*DecryptRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{2} }
+func (*DecryptRequest) Descriptor() ([]byte, []int) { return fileDescriptorService, []int{2} }
 
 func (m *DecryptRequest) GetVersion() string {
 	if m != nil {
@@ -139,7 +140,7 @@ type DecryptResponse struct {
 func (m *DecryptResponse) Reset()                    { *m = DecryptResponse{} }
 func (m *DecryptResponse) String() string            { return proto.CompactTextString(m) }
 func (*DecryptResponse) ProtoMessage()               {}
-func (*DecryptResponse) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{3} }
+func (*DecryptResponse) Descriptor() ([]byte, []int) { return fileDescriptorService, []int{3} }
 
 func (m *DecryptResponse) GetPlain() []byte {
 	if m != nil {
@@ -150,7 +151,7 @@ func (m *DecryptResponse) GetPlain() []byte {
 
 type EncryptRequest struct {
 	// Version of the KMS plugin API.
-	Version string `protobuf:"bytes,1,opt,name=version" json:"version,omitempty"`
+	Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"`
 	// The data to be encrypted.
 	Plain []byte `protobuf:"bytes,2,opt,name=plain,proto3" json:"plain,omitempty"`
 }
@@ -158,7 +159,7 @@ type EncryptRequest struct {
 func (m *EncryptRequest) Reset()                    { *m = EncryptRequest{} }
 func (m *EncryptRequest) String() string            { return proto.CompactTextString(m) }
 func (*EncryptRequest) ProtoMessage()               {}
-func (*EncryptRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{4} }
+func (*EncryptRequest) Descriptor() ([]byte, []int) { return fileDescriptorService, []int{4} }
 
 func (m *EncryptRequest) GetVersion() string {
 	if m != nil {
@@ -182,7 +183,7 @@ type EncryptResponse struct {
 func (m *EncryptResponse) Reset()                    { *m = EncryptResponse{} }
 func (m *EncryptResponse) String() string            { return proto.CompactTextString(m) }
 func (*EncryptResponse) ProtoMessage()               {}
-func (*EncryptResponse) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{5} }
+func (*EncryptResponse) Descriptor() ([]byte, []int) { return fileDescriptorService, []int{5} }
 
 func (m *EncryptResponse) GetCipher() []byte {
 	if m != nil {
@@ -211,7 +212,7 @@ const _ = grpc.SupportPackageIsVersion4
 // Client API for KMSService service
 
 type KMSServiceClient interface {
-	// Version returns the runtime name and runtime version.
+	// Version returns the runtime name and runtime version of the KMS provider.
 	Version(ctx context.Context, in *VersionRequest, opts ...grpc.CallOption) (*VersionResponse, error)
 	// Execute decryption operation in KMS provider.
 	Decrypt(ctx context.Context, in *DecryptRequest, opts ...grpc.CallOption) (*DecryptResponse, error)
@@ -257,7 +258,7 @@ func (c *kMSServiceClient) Encrypt(ctx context.Context, in *EncryptRequest, opts
 // Server API for KMSService service
 
 type KMSServiceServer interface {
-	// Version returns the runtime name and runtime version.
+	// Version returns the runtime name and runtime version of the KMS provider.
 	Version(context.Context, *VersionRequest) (*VersionResponse, error)
 	// Execute decryption operation in KMS provider.
 	Decrypt(context.Context, *DecryptRequest) (*DecryptResponse, error)
@@ -344,9 +345,9 @@ var _KMSService_serviceDesc = grpc.ServiceDesc{
 	Metadata: "service.proto",
 }
 
-func init() { proto.RegisterFile("service.proto", fileDescriptor0) }
+func init() { proto.RegisterFile("service.proto", fileDescriptorService) }
 
-var fileDescriptor0 = []byte{
+var fileDescriptorService = []byte{
 	// 279 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x52, 0xcd, 0x4a, 0xc4, 0x30,
 	0x10, 0xde, 0xae, 0xb8, 0xc5, 0xb1, 0xb6, 0x10, 0x44, 0x8b, 0x27, 0xcd, 0x65, 0xd5, 0x43, 0x61,
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/service.proto b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/service.proto
index 489ff5f8308..90e62acaefd 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/service.proto
+++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/service.proto
@@ -1,3 +1,4 @@
+// To regenerate service.pb.go run hack/update-generated-kms.sh
 syntax = "proto3";
 
 package v1beta1;