---
layout: docs
page_title: Managed Keys
description: >-
  Managed Keys is a system in Vault that defers all private key operations to a third party system.
---

# Managed Keys

Within certain environments, customers want to leverage key management systems
external to Vault, when handling, storing, and interacting with
private key material, or are required to do so by standards requirements.

To satisfy these requirements, Vault has a centralized configuration that
different secrets engines can plug into, allowing them to delegate these
operations to a trusted external KMS.

## Namespace support

Every configured Managed Key is bound to a given namespace, defaulting to the
root namespace. Any secrets engine's mount path must exist within the same namespace
as the Managed Key for which it intends to use.

## Backend Support

Managed Keys were developed to support different types of external backends. At
this time supported backends are PKCS#11, AWS KMS and Azure Key Vault.
Support for additional integrations may be added in the future.

## Plugin Support

The [PKI Secrets Engine](/api/secret/pki#managed-keys) has been integrated
with Managed Keys to offer certificate generation, both root and intermediary
PKI paths, leveraging private keys from an external trusted KMS.

## API

Managed Keys can be managed over the HTTP API. Please see
[Managed Keys API](/api-docs/system/managed-keys) for more details.

To configure PKI secrets engine with Managed Keys please see
[PKI Secret API](/api/secret/pki#managed-keys)