diff --git a/.golangci.yml b/.golangci.yml
index 29c11da10..565d002af 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -54,6 +54,7 @@ linters:
       checks:
         - SA4029
         - SA5008
+        - SA9004
         - ST1016
         - ST1020
   exclusions:
diff --git a/api/keyring.go b/api/keyring.go
index f528b3261..7a6656843 100644
--- a/api/keyring.go
+++ b/api/keyring.go
@@ -43,10 +43,10 @@ type RootKeyState string
 
 const (
 	RootKeyStateInactive     RootKeyState = "inactive"
-	RootKeyStateActive                    = "active"
-	RootKeyStateRekeying                  = "rekeying"
-	RootKeyStateDeprecated                = "deprecated"
-	RootKeyStatePrepublished              = "prepublished"
+	RootKeyStateActive       RootKeyState = "active"
+	RootKeyStateRekeying     RootKeyState = "rekeying"
+	RootKeyStateDeprecated   RootKeyState = "deprecated"
+	RootKeyStatePrepublished RootKeyState = "prepublished"
 )
 
 // List lists all the keyring metadata
diff --git a/command/agent/config_parse.go b/command/agent/config_parse.go
index 5fd8eb333..afd023c66 100644
--- a/command/agent/config_parse.go
+++ b/command/agent/config_parse.go
@@ -363,7 +363,7 @@ func extraKeys(c *Config) error {
 
 	helper.RemoveEqualFold(&c.ExtraKeysHCL, "keyring")
 	for _, provider := range c.KEKProviders {
-		helper.RemoveEqualFold(&c.ExtraKeysHCL, provider.Provider)
+		helper.RemoveEqualFold(&c.ExtraKeysHCL, provider.Provider.String())
 	}
 
 	// Remove reporting extra keys
diff --git a/helper/pool/conn.go b/helper/pool/conn.go
index 9e863c08f..5f4a52dfb 100644
--- a/helper/pool/conn.go
+++ b/helper/pool/conn.go
@@ -7,12 +7,12 @@ type RPCType byte
 
 const (
 	RpcNomad     RPCType = 0x01
-	RpcRaft              = 0x02
-	RpcMultiplex         = 0x03
-	RpcTLS               = 0x04
-	RpcStreaming         = 0x05
+	RpcRaft      RPCType = 0x02
+	RpcMultiplex RPCType = 0x03
+	RpcTLS       RPCType = 0x04
+	RpcStreaming RPCType = 0x05
 
 	// RpcMultiplexV2 allows a multiplexed connection to switch modes between
 	// RpcNomad and RpcStreaming per opened stream.
-	RpcMultiplexV2 = 0x06
+	RpcMultiplexV2 RPCType = 0x06
 )
diff --git a/nomad/encrypter.go b/nomad/encrypter.go
index fa1330c5b..3893dec78 100644
--- a/nomad/encrypter.go
+++ b/nomad/encrypter.go
@@ -799,13 +799,13 @@ func (e *Encrypter) wrapRootKey(rootKey *structs.UnwrappedRootKey, isUpgraded bo
 		}
 
 		switch {
-		case isUpgraded && provider.Provider == string(structs.KEKProviderAEAD):
+		case isUpgraded && provider.Provider == structs.KEKProviderAEAD:
 			// nothing to do but don't want to hit next case
 
 		case isUpgraded:
 			wrappedKey.KeyEncryptionKey = nil
 
-		case provider.Provider == string(structs.KEKProviderAEAD): // !isUpgraded
+		case provider.Provider == structs.KEKProviderAEAD: // !isUpgraded
 			kek := wrappedKey.KeyEncryptionKey
 			wrappedKey.KeyEncryptionKey = nil
 			e.writeKeyToDisk(rootKey.Meta, provider, wrappedKey, kek)
@@ -830,7 +830,7 @@ func (e *Encrypter) encryptDEK(rootKey *structs.UnwrappedRootKey, provider *stru
 	}
 	var kek []byte
 	var err error
-	if provider.Provider == string(structs.KEKProviderAEAD) || provider.Provider == "" {
+	if provider.Provider == structs.KEKProviderAEAD || provider.Provider == "" {
 		kek, err = crypto.Bytes(32)
 		if err != nil {
 			return nil, fmt.Errorf("failed to generate key wrapper key: %w", err)
@@ -847,7 +847,7 @@ func (e *Encrypter) encryptDEK(rootKey *structs.UnwrappedRootKey, provider *stru
 	}
 
 	kekWrapper := &structs.WrappedKey{
-		Provider:                 provider.Provider,
+		Provider:                 provider.Provider.String(),
 		ProviderID:               provider.ID(),
 		WrappedDataEncryptionKey: rootBlob,
 		WrappedRSAKey:            &kms.BlobInfo{},
diff --git a/nomad/encrypter_ce.go b/nomad/encrypter_ce.go
index 211f960f1..ea0b48303 100644
--- a/nomad/encrypter_ce.go
+++ b/nomad/encrypter_ce.go
@@ -33,7 +33,7 @@ func getProviderConfigs(srv *Server) (map[string]*structs.KEKProviderConfig, err
 
 	if len(srv.config.KEKProviderConfigs) == 0 {
 		providerConfigs[string(structs.KEKProviderAEAD)] = &structs.KEKProviderConfig{
-			Provider: string(structs.KEKProviderAEAD),
+			Provider: structs.KEKProviderAEAD,
 			Active:   true,
 		}
 	}
diff --git a/nomad/structs/keyring.go b/nomad/structs/keyring.go
index 304bd421f..f9e99be1d 100644
--- a/nomad/structs/keyring.go
+++ b/nomad/structs/keyring.go
@@ -274,19 +274,23 @@ type RootKeyMeta struct {
 // KEKProviderName enum are the built-in KEK providers.
 type KEKProviderName string
 
+// String returns the string representation of the KEKProviderName and satisfies
+// the fmt.Stringer interface.
+func (n KEKProviderName) String() string { return string(n) }
+
 const (
 	KEKProviderAEAD          KEKProviderName = "aead"
-	KEKProviderAWSKMS                        = "awskms"
-	KEKProviderAzureKeyVault                 = "azurekeyvault"
-	KEKProviderGCPCloudKMS                   = "gcpckms"
-	KEKProviderVaultTransit                  = "transit"
+	KEKProviderAWSKMS        KEKProviderName = "awskms"
+	KEKProviderAzureKeyVault KEKProviderName = "azurekeyvault"
+	KEKProviderGCPCloudKMS   KEKProviderName = "gcpckms"
+	KEKProviderVaultTransit  KEKProviderName = "transit"
 )
 
 // KEKProviderConfig is the server configuration for an external KMS provider
 // the server will use as a Key Encryption Key (KEK) for encrypting/decrypting
 // the DEK.
 type KEKProviderConfig struct {
-	Provider string            `hcl:",key"`
+	Provider KEKProviderName   `hcl:",key"`
 	Name     string            `hcl:"name"`
 	Active   bool              `hcl:"active"`
 	Config   map[string]string `hcl:"-" json:"-"`
@@ -304,7 +308,7 @@ func (c *KEKProviderConfig) Validate() error {
 		return nil
 	}
 
-	switch KEKProviderName(c.Provider) {
+	switch c.Provider {
 	case KEKProviderAEAD, KEKProviderAWSKMS, KEKProviderAzureKeyVault,
 		KEKProviderGCPCloudKMS, KEKProviderVaultTransit:
 		return nil
@@ -335,9 +339,9 @@ func (c *KEKProviderConfig) Merge(o *KEKProviderConfig) *KEKProviderConfig {
 
 func (c *KEKProviderConfig) ID() string {
 	if c.Name == "" {
-		return c.Provider
+		return c.Provider.String()
 	}
-	return c.Provider + "." + c.Name
+	return c.Provider.String() + "." + c.Name
 }
 
 // RootKeyState enum describes the lifecycle of a root key.
@@ -345,14 +349,14 @@ type RootKeyState string
 
 const (
 	RootKeyStateInactive     RootKeyState = "inactive"
-	RootKeyStateActive                    = "active"
-	RootKeyStateRekeying                  = "rekeying"
-	RootKeyStatePrepublished              = "prepublished"
+	RootKeyStateActive       RootKeyState = "active"
+	RootKeyStateRekeying     RootKeyState = "rekeying"
+	RootKeyStatePrepublished RootKeyState = "prepublished"
 
 	// RootKeyStateDeprecated is, itself, deprecated and is no longer in
 	// use. For backwards compatibility, any existing keys with this state will
 	// be treated as RootKeyStateInactive
-	RootKeyStateDeprecated = "deprecated"
+	RootKeyStateDeprecated RootKeyState = "deprecated"
 )
 
 // NewRootKeyMeta returns a new RootKeyMeta with default values