# Senior Security Engineer, PKI & Secrets **Company**: CoreWeave **Location**: Livingston, NJ / New York, NY / Sunnyvale, CA / Bellevue, WA/ San Francisco, CA, **Work arrangement**: hybrid **Experience**: senior **Job type**: full-time **Salary**: $165,000 to $242,000 **Category**: Engineering **Industry**: Technology **Apply**: https://job-boards.greenhouse.io/coreweave/jobs/4676207006 **Canonical**: https://yubhub.co/jobs/job_666411c5-ac3 ## Description As a Senior Security Engineer on the PKI & Secrets team, you will shape how CoreWeave manages cryptographic infrastructure across its global fleet. You'll design and operate PKI hierarchies, secrets management platforms, HSM infrastructure, and key management systems; working hands-on with engineering teams to integrate these capabilities into their services and workflows. Key responsibilities include: - Contributing to the design, implementation, and operation of CoreWeave's PKI infrastructure, including CA hierarchies, issuance policies, certificate lifecycle management, and trust distribution across Kubernetes clusters and bare-metal hosts. - Managing and evolving secrets management platforms, including access policies, secret lifecycle governance, and integration patterns using External Secrets Operator and cert-manager. - Operating and scaling HSM infrastructure, including PKCS#11 integration, key ceremony procedures, and high-availability designs backing our certificate authorities and signing services. - Contributing to the design of key management and data encryption solutions for internal and customer-facing use cases, including envelope encryption and KMS API design. - Delivering PKI-based solutions supporting workload identity, mutual TLS, and hardware attestation. - Maintaining and extending code signing infrastructure for firmware images, UEFI binaries, container images, and application binaries. - Developing and enforcing cryptographic best practices and policies, and contributing to post-quantum cryptography readiness. Requirements include: - 5+ years of experience in security engineering or infrastructure engineering. - Strong understanding of PKI concepts including CA hierarchies, certificate profiles, issuance policies, revocation, and trust distribution. - Hands-on experience operating HashiCorp Vault or similar secrets management platforms in production. - Experience with hardware security modules (HSMs), PKCS#11 interfaces, and key ceremony procedures. - Solid understanding of applied cryptography: symmetric and asymmetric algorithms, digital signatures, envelope encryption, and TLS. - Proficiency in Go, Python, or similar languages, with the ability to build production tooling and automation. - Experience with Kubernetes, including cert-manager, trust-manager, or External Secrets Operator. - Demonstrated ability to drive cross-functional initiatives across infrastructure, platform, and product teams. Preferred qualifications include experience operating PKI backed by HSMs in a cloud provider or hyperscaler environment, familiarity with code signing workflows, and understanding of hardware attestation and workload identity. ## Skills ### Required - PKI - secrets management - HSM - key management - applied cryptography - symmetric and asymmetric algorithms - digital signatures - envelope encryption - TLS - Go - Python - Kubernetes - cert-manager - trust-manager - External Secrets Operator ### Nice to have - PKI backed by HSMs - code signing workflows - hardware attestation - workload identity