diff --git a/flags/flags.go b/flags/flags.go
index 95495200f..d185e624c 100644
--- a/flags/flags.go
+++ b/flags/flags.go
@@ -469,8 +469,42 @@ flag exists so it can be configured in $STEPPATH/config/defaults.json.`,
 	}
 
 	KMSUri = cli.StringFlag{
-		Name:  "kms",
-		Usage: "The <uri> to configure a Cloud KMS or an HSM.",
+		Name: "kms",
+		Usage: `The <uri> to configure a (cloud) KMS or an HSM.
+<uri> is formatted as **kmstype:[key=value;...]?[key=value&...]**. The **;**-separated
+parameters identify the KMS, and **&**-separated parameters contain credentials and additional configuration for those credentials.
+
+: Supported KMS types:
+
+		**YubiKey PIV**
+		:  Use **yubikey:** URIs. Parameters: **serial**, **pin-value**, **pin-source**, **management-key**, **management-key-source**.
+
+		**PKCS #11**
+		:  Use **pkcs11:** URIs. Parameters: **module-path**, **token**, **id**, **object**, **pin-value**, **pin-source**.
+
+		**TPM 2.0**
+		:  Use **tpmkms:** URIs. Parameters: **name**, **device**, **attestation-ca-url**.
+
+		**Google Cloud KMS**
+		:  Use **cloudkms:** URIs. Parameters: **credentials-file**.
+
+		**AWS KMS**
+		:  Use **awskms:** URIs. Parameters: **region**, **profile**, **credentials-file**.
+
+		**Azure Key Vault**
+		:  Use **azurekms:** URIs. Parameters: **tenant-id**, **client-id**, **client-secret**, **client-certificate-file**.
+
+: Examples:
+
+'''
+yubikey:pin-value=123456
+pkcs11:module-path=/usr/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=pass
+tpmkms:name=my-key;device=/dev/tpmrm0
+awskms:region=us-east-1
+azurekms:client-id=fooo;client-secret=bar;tenant-id=9de53416-4431-4181-7a8b-23af3EXAMPLE
+'''
+
+    For more information, see https://smallstep.com/docs/step-ca/cryptographic-protection/.`,
 	}
 
 	AttestationURI = cli.StringFlag{