43 lines
1.5 KiB
Plaintext
43 lines
1.5 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Managed Keys
|
|
description: >-
|
|
Managed Keys is a system in Vault that defers all private key operations to a third party system.
|
|
---
|
|
|
|
# Managed Keys
|
|
|
|
Within certain environments, customers want to leverage key management systems
|
|
external to Vault, when handling, storing, and interacting with
|
|
private key material, or are required to do so by standards requirements.
|
|
|
|
To satisfy these requirements, Vault has a centralized configuration that
|
|
different secrets engines can plug into, allowing them to delegate these
|
|
operations to a trusted external KMS.
|
|
|
|
## Namespace support
|
|
|
|
Every configured Managed Key is bound to a given namespace, defaulting to the
|
|
root namespace. Any secrets engine's mount path must exist within the same namespace
|
|
as the Managed Key for which it intends to use.
|
|
|
|
## Backend Support
|
|
|
|
Managed Keys were developed to support different types of external backends. At
|
|
this time supported backends are PKCS#11, AWS KMS and Azure Key Vault.
|
|
Support for additional integrations may be added in the future.
|
|
|
|
## Plugin Support
|
|
|
|
The [PKI Secrets Engine](/api-docs/secret/pki#managed-keys) has been integrated
|
|
with Managed Keys to offer certificate generation, both root and intermediary
|
|
PKI paths, leveraging private keys from an external trusted KMS.
|
|
|
|
## API
|
|
|
|
Managed Keys can be managed over the HTTP API. Please see
|
|
[Managed Keys API](/api-docs/system/managed-keys) for more details.
|
|
|
|
To configure PKI secrets engine with Managed Keys please see
|
|
[PKI Secret API](/api-docs/secret/pki#managed-keys)
|