63 lines
2.6 KiB
Plaintext
63 lines
2.6 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Managed Keys
|
|
description: >-
|
|
Managed Keys is a system in Vault that defers all private key operations to a third party system.
|
|
---
|
|
|
|
# Managed Keys
|
|
|
|
|
|
Within certain environments, customers want to leverage key management systems
|
|
external to Vault, when handling, storing, and interacting with
|
|
private key material, or are required to do so by standards requirements.
|
|
|
|
To satisfy these requirements, Vault has a centralized abstraction called
|
|
*Managed Keys* that different secrets engines can plug into, allowing them to
|
|
delegate these operations to a trusted external KMS.
|
|
|
|
Minimally, a managed key consists of a named managed key entry managed by the
|
|
[`sys/managed-key`](/vault/api-docs/system/managed-keys) API. Besides a name,
|
|
there are backend specific configurations to access the key in question.
|
|
|
|
For PKCS#11 (HSM) backed managed keys, the managed key configuration must
|
|
reference a [kms library stanza](/vault/docs/configuration/kms-library) which points
|
|
to a PKCS#11 access library on the host machine.
|
|
|
|
Note that a configured, named managed key corresponds to a single key within
|
|
a backend. More than one managed key can be configured targeting a single
|
|
backend by creating multiple managed keys with the API.
|
|
|
|
## Namespace support
|
|
|
|
Every configured Managed Key is bound to a given namespace, defaulting to the
|
|
root namespace. Any secrets engine's mount path must exist within the same namespace
|
|
as the Managed Key for which it intends to use.
|
|
|
|
## Backend Support
|
|
|
|
Managed Keys were developed to support different types of external backends. At
|
|
this time supported backends are PKCS#11, AWS KMS, Azure Key Vault, and Google
|
|
Cloud KMS. Support for additional integrations may be added in the future.
|
|
|
|
## Secret and Auth Engine Support
|
|
|
|
The [PKI Secrets Engine](/vault/api-docs/secret/pki#managed-keys) has been integrated
|
|
with Managed Keys to offer certificate generation, both root and intermediary
|
|
PKI paths, leveraging private keys from an external trusted KMS.
|
|
|
|
The [Transit Secrets Engine](/vault/api-docs/secret/transit#managed-keys) allows users
|
|
to generate and verify cryptographic signatures with Managed Keys, and in some cases encrypt
|
|
and decrypt data, or generate MACs and HMACs. These operations are performed on the KMS or HSM
|
|
that hosts the Managed Key material.
|
|
|
|
More engines may leverage managed keys in the future.
|
|
|
|
## API
|
|
|
|
Managed Keys can be managed over the HTTP API. Please see
|
|
[Managed Keys API](/vault/api-docs/system/managed-keys) for more details.
|
|
|
|
To configure PKI secrets engine with Managed Keys please see
|
|
[PKI Secret API](/vault/api-docs/secret/pki#managed-keys)
|