Skip to main content
Within certain environments, organizations are required to or want to leverage key management systems external to Vault when handling, storing, and interacting with private key material. To satisfy these requirements, Vault has a centralized abstraction called Managed Keys that different secrets engines can plug into, allowing them to delegate these operations to a trusted external KMS. Minimally, a managed key consists of a named managed key entry managed by the sys/managed-key API. Besides a name, there are backend-specific configurations to access the key in question. For PKCS#11 (HSM) backed managed keys, the managed key configuration must reference a kms library stanza that points to a PKCS#11 access library on the host machine. Note that a configured, named managed key corresponds to a single key within a backend. You can configure more than one managed key targeting a single backend by creating multiple managed keys with the API.

Namespace support

Every configured Managed Key is bound to a given namespace, defaulting to the root namespace. Each secrets engine mount path must exist within the same namespace as the Managed Key it intends to use.

Backend support

Managed Keys were developed to support different types of external backends. Currently, supported backends include PKCS#11, AWS KMS, Azure Key Vault, and Google Cloud KMS. We expect to add support for additional integrations in the future.

Secret and auth engine support

The PKI Secrets Engine, integrated with Managed Keys, offers certificate generation and root and intermediary PKI paths, leveraging private keys from an external trusted KMS. The Transit Secrets Engine enables you to generate and verify cryptographic signatures with Managed Keys. Sometimes, you can encrypt and decrypt data or generate MACs and HMACs. Perform these operations on KMS or the HSM that hosts the Managed Key material. Even more engines will leverage managed keys in the future.

API

You can manage keys over the HTTP API. See Managed Keys API for more details. To configure the PKI secrets engine with managed keys, see PKI Secret API.