8aa18a20a2
* Add documentation for Managed Keys - Add concept, sys/api and pki updates related to managed keys * Review feedback - Reworked quite a bit of the existing documentation based on feedback and a re-reading - Moved the managed keys out of the concepts section and into the enterprise section * Address broken links and a few grammar tweaks * add documentation for AWS KMS managed keys * a couple small fixes * # Conflicts: # website/content/api-docs/secret/pki.mdx # website/content/api-docs/system/managed-keys.mdx # website/content/docs/enterprise/managed-keys.mdx * docs updates * # Conflicts: # sdk/version/version_base.go # vault/seal_autoseal_test.go # website/content/api-docs/system/managed-keys.mdx # website/content/docs/enterprise/managed-keys.mdx * remove endpoint env var * Document Azure Key Vault parameters for managed keys. * docs changes for aws kms managed keys Co-authored-by: Steve Clark <steven.clark@hashicorp.com> Co-authored-by: Victor Rodriguez <vrizo@hashicorp.com>
43 lines
1.5 KiB
Plaintext
43 lines
1.5 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Managed Keys
|
|
description: >-
|
|
Managed Keys is a system in Vault that defers all private key operations to a third party system.
|
|
---
|
|
|
|
# Managed Keys
|
|
|
|
Within certain environments, customers want to leverage key management systems
|
|
external to Vault, when handling, storing, and interacting with
|
|
private key material, or are required to do so by standards requirements.
|
|
|
|
To satisfy these requirements, Vault has a centralized configuration that
|
|
different secrets engines can plug into, allowing them to delegate these
|
|
operations to a trusted external KMS.
|
|
|
|
## Namespace support
|
|
|
|
Every configured Managed Key is bound to a given namespace, defaulting to the
|
|
root namespace. Any secrets engine's mount path must exist within the same namespace
|
|
as the Managed Key for which it intends to use.
|
|
|
|
## Backend Support
|
|
|
|
Managed Keys were developed to support different types of external backends. At
|
|
this time supported backends are PKCS#11, AWS KMS and Azure Key Vault.
|
|
Support for additional integrations may be added in the future.
|
|
|
|
## Plugin Support
|
|
|
|
The [PKI Secrets Engine](/api/secret/pki#managed-keys) has been integrated
|
|
with Managed Keys to offer certificate generation, both root and intermediary
|
|
PKI paths, leveraging private keys from an external trusted KMS.
|
|
|
|
## API
|
|
|
|
Managed Keys can be managed over the HTTP API. Please see
|
|
[Managed Keys API](/api-docs/system/managed-keys) for more details.
|
|
|
|
To configure PKI secrets engine with Managed Keys please see
|
|
[PKI Secret API](/api/secret/pki#managed-keys)
|