diff --git a/cmd/bucket-replication.go b/cmd/bucket-replication.go
index 24fc00fe4..d2d91f4b8 100644
--- a/cmd/bucket-replication.go
+++ b/cmd/bucket-replication.go
@@ -49,6 +49,7 @@ import (
 	"github.com/minio/minio/internal/hash"
 	xhttp "github.com/minio/minio/internal/http"
 	xioutil "github.com/minio/minio/internal/ioutil"
+	"github.com/minio/minio/internal/kms"
 	"github.com/minio/minio/internal/logger"
 	"github.com/minio/minio/internal/once"
 	"github.com/tinylib/msgp/msgp"
@@ -894,7 +895,17 @@ func putReplicationOpts(ctx context.Context, sc string, objInfo ObjectInfo) (put
 	}
 
 	if crypto.S3KMS.IsEncrypted(objInfo.UserDefined) {
-		sseEnc, err := encrypt.NewSSEKMS(objInfo.KMSKeyID(), nil)
+		// If KMS key ID replication is enabled (as by default)
+		// we include the object's KMS key ID. In any case, we
+		// always set the SSE-KMS header. If no KMS key ID is
+		// specified, MinIO is supposed to use whatever default
+		// config applies on the site or bucket.
+		var keyID string
+		if kms.ReplicateKeyID() {
+			keyID = objInfo.KMSKeyID()
+		}
+
+		sseEnc, err := encrypt.NewSSEKMS(keyID, nil)
 		if err != nil {
 			return putOpts, false, err
 		}
diff --git a/go.mod b/go.mod
index e1929b0a1..b32c06a33 100644
--- a/go.mod
+++ b/go.mod
@@ -2,6 +2,8 @@ module github.com/minio/minio
 
 go 1.23
 
+toolchain go1.23.6
+
 require (
 	cloud.google.com/go/storage v1.46.0
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0
diff --git a/internal/kms/config.go b/internal/kms/config.go
index 7d5952764..906e9ec1c 100644
--- a/internal/kms/config.go
+++ b/internal/kms/config.go
@@ -28,6 +28,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"sync"
 	"sync/atomic"
 	"syscall"
 	"time"
@@ -64,10 +65,32 @@ const (
 	EnvKMSSecretKeyFile = "MINIO_KMS_SECRET_KEY_FILE" // Path to a file to read the static KMS key from
 )
 
+// EnvKMSReplicateKeyID is an env. variable that controls whether MinIO
+// replicates the KMS key ID. By default, KMS key ID replication is enabled
+// but can be turned off.
+const EnvKMSReplicateKeyID = "MINIO_KMS_REPLICATE_KEYID"
+
 const (
 	tlsClientSessionCacheSize = 100
 )
 
+var replicateKeyID = sync.OnceValue(func() bool {
+	if v, ok := os.LookupEnv(EnvKMSReplicateKeyID); ok && strings.ToLower(v) == "off" {
+		return false
+	}
+	return true // by default, replicating KMS key IDs is enabled
+})
+
+// ReplicateKeyID reports whether KMS key IDs should be included when
+// replicating objects. It's enabled by default. To disable it, set:
+//
+//	MINIO_KMS_REPLICATE_KEYID=off
+//
+// Some deployments use different KMS clusters with destinct keys on
+// each site. Trying to replicate the KMS key ID can cause requests
+// to fail in such setups.
+func ReplicateKeyID() bool { return replicateKeyID() }
+
 // ConnectionOptions is a structure containing options for connecting
 // to a KMS.
 type ConnectionOptions struct {