Use etcdctl to directly inspect the secret's value in the etcd database. The output should show that the KMS provider has encrypted the data.
The output will be unreadable and begin with the k8s:enc:kms:v2:eskm: header. This header proves that the KMS plugin successfully encrypted the secret data before storing it in etcd.
Verify Encryption