Key management
HashiCorp Vault Managed Keys
3 min
within certain environments, organizations are required to or want to leverage key management systems external to vault when handling, storing, and interacting with private key material to satisfy these requirements, vault has a centralized abstraction called managed keys that different secrets engines can plug into, allowing them to delegate these operations to a trusted external kms minimally, a managed key consists of a named managed key entry managed by the sys/managed key api besides a name, there are backend specific configurations to access the key in question for pkcs#11 (hsm) backed managed keys, the managed key configuration must reference a kms library stanza https //developer hashicorp com/vault/docs/configuration/kms library that points to a pkcs#11 access library on the host machine note that a configured, named managed key corresponds to a single key within a backend you can configure more than one managed key targeting a single backend by creating multiple managed keys with the api namespace support every configured managed key is bound to a given namespace, defaulting to the root namespace each secrets engine mount path must exist within the same namespace as the managed key it intends to use backend support managed keys were developed to support different types of external backends currently, supported backends include pkcs#11, aws kms, azure key vault, and google cloud kms we expect to add support for additional integrations in the future secret and auth engine support the pki secrets engine https //developer hashicorp com/vault/api docs/secret/pki#managed keys , integrated with managed keys, offers certificate generation and root and intermediary pki paths, leveraging private keys from an external trusted kms the transit secrets engine https //developer hashicorp com/vault/api docs/secret/transit#managed keys enables you to generate and verify cryptographic signatures with managed keys sometimes, you can encrypt and decrypt data or generate macs and hmacs perform these operations on kms or the hsm that hosts the managed key material even more engines will leverage managed keys in the future api you can manage keys over the http api see managed keys api https //developer hashicorp com/vault/api docs/system/managed keys for more details to configure the pki secrets engine with managed keys, see pki secret api https //developer hashicorp com/vault/api docs/secret/pki#managed keys