diff --git a/api/gen/proto/go/teleport/recordingencryption/v1/recording_encryption_service.pb.go b/api/gen/proto/go/teleport/recordingencryption/v1/recording_encryption_service.pb.go
new file mode 100644
index 0000000000000..34a7e66d9e934
--- /dev/null
+++ b/api/gen/proto/go/teleport/recordingencryption/v1/recording_encryption_service.pb.go
@@ -0,0 +1,555 @@
+// Copyright 2025 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.36.6
+// 	protoc        (unknown)
+// source: teleport/recordingencryption/v1/recording_encryption_service.proto
+
+package recordingencryptionv1
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
+	reflect "reflect"
+	sync "sync"
+	unsafe "unsafe"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// The handle to an upload for an encrypted session.
+type Upload struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// The primary identifier for an Upload.
+	UploadId string `protobuf:"bytes,1,opt,name=upload_id,json=uploadId,proto3" json:"upload_id,omitempty"`
+	// The session ID an upload is tied to.
+	SessionId string `protobuf:"bytes,2,opt,name=session_id,json=sessionId,proto3" json:"session_id,omitempty"`
+	// The time that an upload was created at.
+	InitiatedAt   *timestamppb.Timestamp `protobuf:"bytes,3,opt,name=initiated_at,json=initiatedAt,proto3" json:"initiated_at,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *Upload) Reset() {
+	*x = Upload{}
+	mi := &file_teleport_recordingencryption_v1_recording_encryption_service_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *Upload) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Upload) ProtoMessage() {}
+
+func (x *Upload) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_recordingencryption_v1_recording_encryption_service_proto_msgTypes[0]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Upload.ProtoReflect.Descriptor instead.
+func (*Upload) Descriptor() ([]byte, []int) {
+	return file_teleport_recordingencryption_v1_recording_encryption_service_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *Upload) GetUploadId() string {
+	if x != nil {
+		return x.UploadId
+	}
+	return ""
+}
+
+func (x *Upload) GetSessionId() string {
+	if x != nil {
+		return x.SessionId
+	}
+	return ""
+}
+
+func (x *Upload) GetInitiatedAt() *timestamppb.Timestamp {
+	if x != nil {
+		return x.InitiatedAt
+	}
+	return nil
+}
+
+// The request to start a multipart upload for a specific session recording.
+type CreateUploadRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// The session ID associated with the recording being uploaded.
+	SessionId     string `protobuf:"bytes,1,opt,name=session_id,json=sessionId,proto3" json:"session_id,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *CreateUploadRequest) Reset() {
+	*x = CreateUploadRequest{}
+	mi := &file_teleport_recordingencryption_v1_recording_encryption_service_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *CreateUploadRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*CreateUploadRequest) ProtoMessage() {}
+
+func (x *CreateUploadRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_recordingencryption_v1_recording_encryption_service_proto_msgTypes[1]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use CreateUploadRequest.ProtoReflect.Descriptor instead.
+func (*CreateUploadRequest) Descriptor() ([]byte, []int) {
+	return file_teleport_recordingencryption_v1_recording_encryption_service_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *CreateUploadRequest) GetSessionId() string {
+	if x != nil {
+		return x.SessionId
+	}
+	return ""
+}
+
+// The resulting Upload message for a created Upload.
+type CreateUploadResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// The handle for the created Upload.
+	Upload        *Upload `protobuf:"bytes,1,opt,name=upload,proto3" json:"upload,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *CreateUploadResponse) Reset() {
+	*x = CreateUploadResponse{}
+	mi := &file_teleport_recordingencryption_v1_recording_encryption_service_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *CreateUploadResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*CreateUploadResponse) ProtoMessage() {}
+
+func (x *CreateUploadResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_recordingencryption_v1_recording_encryption_service_proto_msgTypes[2]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use CreateUploadResponse.ProtoReflect.Descriptor instead.
+func (*CreateUploadResponse) Descriptor() ([]byte, []int) {
+	return file_teleport_recordingencryption_v1_recording_encryption_service_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *CreateUploadResponse) GetUpload() *Upload {
+	if x != nil {
+		return x.Upload
+	}
+	return nil
+}
+
+// The request to upload a single part in a multipart upload.
+type UploadPartRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// The handle to the in-progress upload that should be uploaded to.
+	Upload *Upload `protobuf:"bytes,1,opt,name=upload,proto3" json:"upload,omitempty"`
+	// The ordered index applied to the part.
+	PartNumber int64 `protobuf:"varint,2,opt,name=part_number,json=partNumber,proto3" json:"part_number,omitempty"`
+	// The encrypted part of session recording data being uploaded.
+	Part          []byte `protobuf:"bytes,3,opt,name=part,proto3" json:"part,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *UploadPartRequest) Reset() {
+	*x = UploadPartRequest{}
+	mi := &file_teleport_recordingencryption_v1_recording_encryption_service_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *UploadPartRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*UploadPartRequest) ProtoMessage() {}
+
+func (x *UploadPartRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_recordingencryption_v1_recording_encryption_service_proto_msgTypes[3]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use UploadPartRequest.ProtoReflect.Descriptor instead.
+func (*UploadPartRequest) Descriptor() ([]byte, []int) {
+	return file_teleport_recordingencryption_v1_recording_encryption_service_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *UploadPartRequest) GetUpload() *Upload {
+	if x != nil {
+		return x.Upload
+	}
+	return nil
+}
+
+func (x *UploadPartRequest) GetPartNumber() int64 {
+	if x != nil {
+		return x.PartNumber
+	}
+	return 0
+}
+
+func (x *UploadPartRequest) GetPart() []byte {
+	if x != nil {
+		return x.Part
+	}
+	return nil
+}
+
+// The resulting metadata about an uploaded part.
+type Part struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// The ordered index applied to the part.
+	PartNumber int64 `protobuf:"varint,1,opt,name=part_number,json=partNumber,proto3" json:"part_number,omitempty"`
+	// The part e-tag value relevant to some storage backends.
+	Etag          string `protobuf:"bytes,2,opt,name=etag,proto3" json:"etag,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *Part) Reset() {
+	*x = Part{}
+	mi := &file_teleport_recordingencryption_v1_recording_encryption_service_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *Part) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Part) ProtoMessage() {}
+
+func (x *Part) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_recordingencryption_v1_recording_encryption_service_proto_msgTypes[4]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Part.ProtoReflect.Descriptor instead.
+func (*Part) Descriptor() ([]byte, []int) {
+	return file_teleport_recordingencryption_v1_recording_encryption_service_proto_rawDescGZIP(), []int{4}
+}
+
+func (x *Part) GetPartNumber() int64 {
+	if x != nil {
+		return x.PartNumber
+	}
+	return 0
+}
+
+func (x *Part) GetEtag() string {
+	if x != nil {
+		return x.Etag
+	}
+	return ""
+}
+
+// A successfully uploaded Part to be included in the final CompleteUpload request.
+type UploadPartResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// The resulting part metadata about an uploaded part.
+	Part          *Part `protobuf:"bytes,1,opt,name=part,proto3" json:"part,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *UploadPartResponse) Reset() {
+	*x = UploadPartResponse{}
+	mi := &file_teleport_recordingencryption_v1_recording_encryption_service_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *UploadPartResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*UploadPartResponse) ProtoMessage() {}
+
+func (x *UploadPartResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_recordingencryption_v1_recording_encryption_service_proto_msgTypes[5]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use UploadPartResponse.ProtoReflect.Descriptor instead.
+func (*UploadPartResponse) Descriptor() ([]byte, []int) {
+	return file_teleport_recordingencryption_v1_recording_encryption_service_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *UploadPartResponse) GetPart() *Part {
+	if x != nil {
+		return x.Part
+	}
+	return nil
+}
+
+// The request to complete an upload. The included part numbers must match the parts successfully
+// uploaded up until this point.
+type CompleteUploadRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// The handle to an upload to complete.
+	Upload *Upload `protobuf:"bytes,1,opt,name=upload,proto3" json:"upload,omitempty"`
+	// The parts expected to be successfully uploaded.
+	Parts         []*Part `protobuf:"bytes,2,rep,name=parts,proto3" json:"parts,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *CompleteUploadRequest) Reset() {
+	*x = CompleteUploadRequest{}
+	mi := &file_teleport_recordingencryption_v1_recording_encryption_service_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *CompleteUploadRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*CompleteUploadRequest) ProtoMessage() {}
+
+func (x *CompleteUploadRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_recordingencryption_v1_recording_encryption_service_proto_msgTypes[6]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use CompleteUploadRequest.ProtoReflect.Descriptor instead.
+func (*CompleteUploadRequest) Descriptor() ([]byte, []int) {
+	return file_teleport_recordingencryption_v1_recording_encryption_service_proto_rawDescGZIP(), []int{6}
+}
+
+func (x *CompleteUploadRequest) GetUpload() *Upload {
+	if x != nil {
+		return x.Upload
+	}
+	return nil
+}
+
+func (x *CompleteUploadRequest) GetParts() []*Part {
+	if x != nil {
+		return x.Parts
+	}
+	return nil
+}
+
+// CompleteUploadResponse is the empty return value of a CompleteUpload request.
+type CompleteUploadResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *CompleteUploadResponse) Reset() {
+	*x = CompleteUploadResponse{}
+	mi := &file_teleport_recordingencryption_v1_recording_encryption_service_proto_msgTypes[7]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *CompleteUploadResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*CompleteUploadResponse) ProtoMessage() {}
+
+func (x *CompleteUploadResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_recordingencryption_v1_recording_encryption_service_proto_msgTypes[7]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use CompleteUploadResponse.ProtoReflect.Descriptor instead.
+func (*CompleteUploadResponse) Descriptor() ([]byte, []int) {
+	return file_teleport_recordingencryption_v1_recording_encryption_service_proto_rawDescGZIP(), []int{7}
+}
+
+var File_teleport_recordingencryption_v1_recording_encryption_service_proto protoreflect.FileDescriptor
+
+const file_teleport_recordingencryption_v1_recording_encryption_service_proto_rawDesc = "" +
+	"\n" +
+	"Bteleport/recordingencryption/v1/recording_encryption_service.proto\x12\x1fteleport.recordingencryption.v1\x1a\x1fgoogle/protobuf/timestamp.proto\"\x83\x01\n" +
+	"\x06Upload\x12\x1b\n" +
+	"\tupload_id\x18\x01 \x01(\tR\buploadId\x12\x1d\n" +
+	"\n" +
+	"session_id\x18\x02 \x01(\tR\tsessionId\x12=\n" +
+	"\finitiated_at\x18\x03 \x01(\v2\x1a.google.protobuf.TimestampR\vinitiatedAt\"4\n" +
+	"\x13CreateUploadRequest\x12\x1d\n" +
+	"\n" +
+	"session_id\x18\x01 \x01(\tR\tsessionId\"W\n" +
+	"\x14CreateUploadResponse\x12?\n" +
+	"\x06upload\x18\x01 \x01(\v2'.teleport.recordingencryption.v1.UploadR\x06upload\"\x89\x01\n" +
+	"\x11UploadPartRequest\x12?\n" +
+	"\x06upload\x18\x01 \x01(\v2'.teleport.recordingencryption.v1.UploadR\x06upload\x12\x1f\n" +
+	"\vpart_number\x18\x02 \x01(\x03R\n" +
+	"partNumber\x12\x12\n" +
+	"\x04part\x18\x03 \x01(\fR\x04part\";\n" +
+	"\x04Part\x12\x1f\n" +
+	"\vpart_number\x18\x01 \x01(\x03R\n" +
+	"partNumber\x12\x12\n" +
+	"\x04etag\x18\x02 \x01(\tR\x04etag\"O\n" +
+	"\x12UploadPartResponse\x129\n" +
+	"\x04part\x18\x01 \x01(\v2%.teleport.recordingencryption.v1.PartR\x04part\"\x95\x01\n" +
+	"\x15CompleteUploadRequest\x12?\n" +
+	"\x06upload\x18\x01 \x01(\v2'.teleport.recordingencryption.v1.UploadR\x06upload\x12;\n" +
+	"\x05parts\x18\x02 \x03(\v2%.teleport.recordingencryption.v1.PartR\x05parts\"\x18\n" +
+	"\x16CompleteUploadResponse2\x94\x03\n" +
+	"\x1aRecordingEncryptionService\x12{\n" +
+	"\fCreateUpload\x124.teleport.recordingencryption.v1.CreateUploadRequest\x1a5.teleport.recordingencryption.v1.CreateUploadResponse\x12u\n" +
+	"\n" +
+	"UploadPart\x122.teleport.recordingencryption.v1.UploadPartRequest\x1a3.teleport.recordingencryption.v1.UploadPartResponse\x12\x81\x01\n" +
+	"\x0eCompleteUpload\x126.teleport.recordingencryption.v1.CompleteUploadRequest\x1a7.teleport.recordingencryption.v1.CompleteUploadResponseBjZhgithub.com/gravitational/teleport/api/gen/proto/go/teleport/recordingencryption/v1;recordingencryptionv1b\x06proto3"
+
+var (
+	file_teleport_recordingencryption_v1_recording_encryption_service_proto_rawDescOnce sync.Once
+	file_teleport_recordingencryption_v1_recording_encryption_service_proto_rawDescData []byte
+)
+
+func file_teleport_recordingencryption_v1_recording_encryption_service_proto_rawDescGZIP() []byte {
+	file_teleport_recordingencryption_v1_recording_encryption_service_proto_rawDescOnce.Do(func() {
+		file_teleport_recordingencryption_v1_recording_encryption_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_recordingencryption_v1_recording_encryption_service_proto_rawDesc), len(file_teleport_recordingencryption_v1_recording_encryption_service_proto_rawDesc)))
+	})
+	return file_teleport_recordingencryption_v1_recording_encryption_service_proto_rawDescData
+}
+
+var file_teleport_recordingencryption_v1_recording_encryption_service_proto_msgTypes = make([]protoimpl.MessageInfo, 8)
+var file_teleport_recordingencryption_v1_recording_encryption_service_proto_goTypes = []any{
+	(*Upload)(nil),                 // 0: teleport.recordingencryption.v1.Upload
+	(*CreateUploadRequest)(nil),    // 1: teleport.recordingencryption.v1.CreateUploadRequest
+	(*CreateUploadResponse)(nil),   // 2: teleport.recordingencryption.v1.CreateUploadResponse
+	(*UploadPartRequest)(nil),      // 3: teleport.recordingencryption.v1.UploadPartRequest
+	(*Part)(nil),                   // 4: teleport.recordingencryption.v1.Part
+	(*UploadPartResponse)(nil),     // 5: teleport.recordingencryption.v1.UploadPartResponse
+	(*CompleteUploadRequest)(nil),  // 6: teleport.recordingencryption.v1.CompleteUploadRequest
+	(*CompleteUploadResponse)(nil), // 7: teleport.recordingencryption.v1.CompleteUploadResponse
+	(*timestamppb.Timestamp)(nil),  // 8: google.protobuf.Timestamp
+}
+var file_teleport_recordingencryption_v1_recording_encryption_service_proto_depIdxs = []int32{
+	8, // 0: teleport.recordingencryption.v1.Upload.initiated_at:type_name -> google.protobuf.Timestamp
+	0, // 1: teleport.recordingencryption.v1.CreateUploadResponse.upload:type_name -> teleport.recordingencryption.v1.Upload
+	0, // 2: teleport.recordingencryption.v1.UploadPartRequest.upload:type_name -> teleport.recordingencryption.v1.Upload
+	4, // 3: teleport.recordingencryption.v1.UploadPartResponse.part:type_name -> teleport.recordingencryption.v1.Part
+	0, // 4: teleport.recordingencryption.v1.CompleteUploadRequest.upload:type_name -> teleport.recordingencryption.v1.Upload
+	4, // 5: teleport.recordingencryption.v1.CompleteUploadRequest.parts:type_name -> teleport.recordingencryption.v1.Part
+	1, // 6: teleport.recordingencryption.v1.RecordingEncryptionService.CreateUpload:input_type -> teleport.recordingencryption.v1.CreateUploadRequest
+	3, // 7: teleport.recordingencryption.v1.RecordingEncryptionService.UploadPart:input_type -> teleport.recordingencryption.v1.UploadPartRequest
+	6, // 8: teleport.recordingencryption.v1.RecordingEncryptionService.CompleteUpload:input_type -> teleport.recordingencryption.v1.CompleteUploadRequest
+	2, // 9: teleport.recordingencryption.v1.RecordingEncryptionService.CreateUpload:output_type -> teleport.recordingencryption.v1.CreateUploadResponse
+	5, // 10: teleport.recordingencryption.v1.RecordingEncryptionService.UploadPart:output_type -> teleport.recordingencryption.v1.UploadPartResponse
+	7, // 11: teleport.recordingencryption.v1.RecordingEncryptionService.CompleteUpload:output_type -> teleport.recordingencryption.v1.CompleteUploadResponse
+	9, // [9:12] is the sub-list for method output_type
+	6, // [6:9] is the sub-list for method input_type
+	6, // [6:6] is the sub-list for extension type_name
+	6, // [6:6] is the sub-list for extension extendee
+	0, // [0:6] is the sub-list for field type_name
+}
+
+func init() { file_teleport_recordingencryption_v1_recording_encryption_service_proto_init() }
+func file_teleport_recordingencryption_v1_recording_encryption_service_proto_init() {
+	if File_teleport_recordingencryption_v1_recording_encryption_service_proto != nil {
+		return
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_recordingencryption_v1_recording_encryption_service_proto_rawDesc), len(file_teleport_recordingencryption_v1_recording_encryption_service_proto_rawDesc)),
+			NumEnums:      0,
+			NumMessages:   8,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_teleport_recordingencryption_v1_recording_encryption_service_proto_goTypes,
+		DependencyIndexes: file_teleport_recordingencryption_v1_recording_encryption_service_proto_depIdxs,
+		MessageInfos:      file_teleport_recordingencryption_v1_recording_encryption_service_proto_msgTypes,
+	}.Build()
+	File_teleport_recordingencryption_v1_recording_encryption_service_proto = out.File
+	file_teleport_recordingencryption_v1_recording_encryption_service_proto_goTypes = nil
+	file_teleport_recordingencryption_v1_recording_encryption_service_proto_depIdxs = nil
+}
diff --git a/api/gen/proto/go/teleport/recordingencryption/v1/recording_encryption_service_grpc.pb.go b/api/gen/proto/go/teleport/recordingencryption/v1/recording_encryption_service_grpc.pb.go
new file mode 100644
index 0000000000000..25d49c6d2beea
--- /dev/null
+++ b/api/gen/proto/go/teleport/recordingencryption/v1/recording_encryption_service_grpc.pb.go
@@ -0,0 +1,224 @@
+// Copyright 2025 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.5.1
+// - protoc             (unknown)
+// source: teleport/recordingencryption/v1/recording_encryption_service.proto
+
+package recordingencryptionv1
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.64.0 or later.
+const _ = grpc.SupportPackageIsVersion9
+
+const (
+	RecordingEncryptionService_CreateUpload_FullMethodName   = "/teleport.recordingencryption.v1.RecordingEncryptionService/CreateUpload"
+	RecordingEncryptionService_UploadPart_FullMethodName     = "/teleport.recordingencryption.v1.RecordingEncryptionService/UploadPart"
+	RecordingEncryptionService_CompleteUpload_FullMethodName = "/teleport.recordingencryption.v1.RecordingEncryptionService/CompleteUpload"
+)
+
+// RecordingEncryptionServiceClient is the client API for RecordingEncryptionService service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+//
+// RecordingEncryption provides methods to manage cluster encryption configuration resources.
+type RecordingEncryptionServiceClient interface {
+	// CreateUpload begins a multipart upload for an encrypted recording. The
+	// returned upload ID should be used while uploading parts.
+	CreateUpload(ctx context.Context, in *CreateUploadRequest, opts ...grpc.CallOption) (*CreateUploadResponse, error)
+	// UploadPart uploads a part to the given upload ID.
+	UploadPart(ctx context.Context, in *UploadPartRequest, opts ...grpc.CallOption) (*UploadPartResponse, error)
+	// CompleteUploadRequest marks a multipart upload as complete.
+	CompleteUpload(ctx context.Context, in *CompleteUploadRequest, opts ...grpc.CallOption) (*CompleteUploadResponse, error)
+}
+
+type recordingEncryptionServiceClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewRecordingEncryptionServiceClient(cc grpc.ClientConnInterface) RecordingEncryptionServiceClient {
+	return &recordingEncryptionServiceClient{cc}
+}
+
+func (c *recordingEncryptionServiceClient) CreateUpload(ctx context.Context, in *CreateUploadRequest, opts ...grpc.CallOption) (*CreateUploadResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(CreateUploadResponse)
+	err := c.cc.Invoke(ctx, RecordingEncryptionService_CreateUpload_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *recordingEncryptionServiceClient) UploadPart(ctx context.Context, in *UploadPartRequest, opts ...grpc.CallOption) (*UploadPartResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(UploadPartResponse)
+	err := c.cc.Invoke(ctx, RecordingEncryptionService_UploadPart_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *recordingEncryptionServiceClient) CompleteUpload(ctx context.Context, in *CompleteUploadRequest, opts ...grpc.CallOption) (*CompleteUploadResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(CompleteUploadResponse)
+	err := c.cc.Invoke(ctx, RecordingEncryptionService_CompleteUpload_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// RecordingEncryptionServiceServer is the server API for RecordingEncryptionService service.
+// All implementations must embed UnimplementedRecordingEncryptionServiceServer
+// for forward compatibility.
+//
+// RecordingEncryption provides methods to manage cluster encryption configuration resources.
+type RecordingEncryptionServiceServer interface {
+	// CreateUpload begins a multipart upload for an encrypted recording. The
+	// returned upload ID should be used while uploading parts.
+	CreateUpload(context.Context, *CreateUploadRequest) (*CreateUploadResponse, error)
+	// UploadPart uploads a part to the given upload ID.
+	UploadPart(context.Context, *UploadPartRequest) (*UploadPartResponse, error)
+	// CompleteUploadRequest marks a multipart upload as complete.
+	CompleteUpload(context.Context, *CompleteUploadRequest) (*CompleteUploadResponse, error)
+	mustEmbedUnimplementedRecordingEncryptionServiceServer()
+}
+
+// UnimplementedRecordingEncryptionServiceServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedRecordingEncryptionServiceServer struct{}
+
+func (UnimplementedRecordingEncryptionServiceServer) CreateUpload(context.Context, *CreateUploadRequest) (*CreateUploadResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method CreateUpload not implemented")
+}
+func (UnimplementedRecordingEncryptionServiceServer) UploadPart(context.Context, *UploadPartRequest) (*UploadPartResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method UploadPart not implemented")
+}
+func (UnimplementedRecordingEncryptionServiceServer) CompleteUpload(context.Context, *CompleteUploadRequest) (*CompleteUploadResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method CompleteUpload not implemented")
+}
+func (UnimplementedRecordingEncryptionServiceServer) mustEmbedUnimplementedRecordingEncryptionServiceServer() {
+}
+func (UnimplementedRecordingEncryptionServiceServer) testEmbeddedByValue() {}
+
+// UnsafeRecordingEncryptionServiceServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to RecordingEncryptionServiceServer will
+// result in compilation errors.
+type UnsafeRecordingEncryptionServiceServer interface {
+	mustEmbedUnimplementedRecordingEncryptionServiceServer()
+}
+
+func RegisterRecordingEncryptionServiceServer(s grpc.ServiceRegistrar, srv RecordingEncryptionServiceServer) {
+	// If the following call pancis, it indicates UnimplementedRecordingEncryptionServiceServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
+	s.RegisterService(&RecordingEncryptionService_ServiceDesc, srv)
+}
+
+func _RecordingEncryptionService_CreateUpload_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(CreateUploadRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RecordingEncryptionServiceServer).CreateUpload(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: RecordingEncryptionService_CreateUpload_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RecordingEncryptionServiceServer).CreateUpload(ctx, req.(*CreateUploadRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _RecordingEncryptionService_UploadPart_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(UploadPartRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RecordingEncryptionServiceServer).UploadPart(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: RecordingEncryptionService_UploadPart_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RecordingEncryptionServiceServer).UploadPart(ctx, req.(*UploadPartRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _RecordingEncryptionService_CompleteUpload_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(CompleteUploadRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RecordingEncryptionServiceServer).CompleteUpload(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: RecordingEncryptionService_CompleteUpload_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RecordingEncryptionServiceServer).CompleteUpload(ctx, req.(*CompleteUploadRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// RecordingEncryptionService_ServiceDesc is the grpc.ServiceDesc for RecordingEncryptionService service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var RecordingEncryptionService_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "teleport.recordingencryption.v1.RecordingEncryptionService",
+	HandlerType: (*RecordingEncryptionServiceServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "CreateUpload",
+			Handler:    _RecordingEncryptionService_CreateUpload_Handler,
+		},
+		{
+			MethodName: "UploadPart",
+			Handler:    _RecordingEncryptionService_UploadPart_Handler,
+		},
+		{
+			MethodName: "CompleteUpload",
+			Handler:    _RecordingEncryptionService_CompleteUpload_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "teleport/recordingencryption/v1/recording_encryption_service.proto",
+}
diff --git a/api/proto/teleport/recordingencryption/v1/recording_encryption_service.proto b/api/proto/teleport/recordingencryption/v1/recording_encryption_service.proto
new file mode 100644
index 0000000000000..32852198f6c57
--- /dev/null
+++ b/api/proto/teleport/recordingencryption/v1/recording_encryption_service.proto
@@ -0,0 +1,90 @@
+// Copyright 2025 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.recordingencryption.v1;
+
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/recordingencryption/v1;recordingencryptionv1";
+
+// RecordingEncryption provides methods to manage cluster encryption configuration resources.
+service RecordingEncryptionService {
+  // CreateUpload begins a multipart upload for an encrypted recording. The
+  // returned upload ID should be used while uploading parts.
+  rpc CreateUpload(CreateUploadRequest) returns (CreateUploadResponse);
+  // UploadPart uploads a part to the given upload ID.
+  rpc UploadPart(UploadPartRequest) returns (UploadPartResponse);
+  // CompleteUploadRequest marks a multipart upload as complete.
+  rpc CompleteUpload(CompleteUploadRequest) returns (CompleteUploadResponse);
+}
+
+// The handle to an upload for an encrypted session.
+message Upload {
+  // The primary identifier for an Upload.
+  string upload_id = 1;
+  // The session ID an upload is tied to.
+  string session_id = 2;
+  // The time that an upload was created at.
+  google.protobuf.Timestamp initiated_at = 3;
+}
+
+// The request to start a multipart upload for a specific session recording.
+message CreateUploadRequest {
+  // The session ID associated with the recording being uploaded.
+  string session_id = 1;
+}
+
+// The resulting Upload message for a created Upload.
+message CreateUploadResponse {
+  // The handle for the created Upload.
+  Upload upload = 1;
+}
+
+// The request to upload a single part in a multipart upload.
+message UploadPartRequest {
+  // The handle to the in-progress upload that should be uploaded to.
+  Upload upload = 1;
+  // The ordered index applied to the part.
+  int64 part_number = 2;
+  // The encrypted part of session recording data being uploaded.
+  bytes part = 3;
+}
+
+// The resulting metadata about an uploaded part.
+message Part {
+  // The ordered index applied to the part.
+  int64 part_number = 1;
+  // The part e-tag value relevant to some storage backends.
+  string etag = 2;
+}
+
+// A successfully uploaded Part to be included in the final CompleteUpload request.
+message UploadPartResponse {
+  // The resulting part metadata about an uploaded part.
+  Part part = 1;
+}
+
+// The request to complete an upload. The included part numbers must match the parts successfully
+// uploaded up until this point.
+message CompleteUploadRequest {
+  // The handle to an upload to complete.
+  Upload upload = 1;
+  // The parts expected to be successfully uploaded.
+  repeated Part parts = 2;
+}
+
+// CompleteUploadResponse is the empty return value of a CompleteUpload request.
+message CompleteUploadResponse {}