Principal Engineer, Security Products — Cryptography and Key Lifecycle Management

CoreWeave•New York, NY

2d•Hybrid

About The Position

The Security Products organization at CoreWeave builds the identity, encryption, and self-managed security integrations that protect AI workloads and data across our cloud platform. If you are passionate about building foundational security primitives that enable enterprises and the top AI labs in the world to deploy regulated and security‑sensitive workloads at extreme scale, this is the team to join! CoreWeave is seeking a Staff or Principal Engineer for our Security Products team to lead the technical direction and implementation of encryption and key lifecycle management. In this role, you’ll design and evolve the key lifecycle management, encryption control planes, algorithm/library selection, and systems integrations that allow CoreWeave customers to deploy sensitive, high security AI workloads and data. You’ll partner closely with teams across CoreWeave to develop customer-driven cryptography technology. Your day‑to‑day will blend hands‑on system design and coding with cross‑team technical leadership, design reviews, and roadmap shaping for Security Products.

Requirements

8+ years of experience building and operating distributed backend systems in production, including ownership of reliability and security outcomes for critical services.
Deep experience with encryption at rest and key management systems, including envelope encryption patterns, key hierarchies and secure key lifecycle management.
Hands-on experience integrating with at least one major KMS or secrets manager (e.g., AWS KMS, HashiCorp Vault, Azure Key Vault, GCP KMS, HSMs), including designing APIs and workflows around those systems.
Strong proficiency in a systems programming language such as Go (preferred) or Rust, with experience building networked services (gRPC / REST) in a Linux / Kubernetes environment.
Solid understanding of applied cryptography concepts relevant to data‑at‑rest protection (AES‑GCM/CTR, key wrapping, KDFs, randomness requirements, envelope encryption, and key separation) with the ability to reason about threat models and failure modes with Security partners.
Experience designing and operating multi‑tenant services with strong isolation and authorization semantics across customers and internal tenants.
Demonstrated track record of leading cross‑team technical initiatives, driving projects from problem statement through rollout, alignment, and operational readiness.
Strong operational experience defining SLIs / SLOs, building dashboards and alerts, and partnering with SRE / Production Engineering on incident response and post‑incident improvement.
Excellent written and verbal communication skills with the ability to produce clear, opinionated design docs that influence Senior Engineers, PMs, and Security stakeholders through context setting and sound technical judgment

Nice To Haves

Prior experience designing or implementing remote or externalized key management for cloud storage, databases, or filesystems (e.g., BYOK/BYOKMS, customer‑managed keys, envelope encryption for S3‑like object storage).
Experience with hardware‑backed key management (HSMs) and cryptographic compliance regimes (FIPS 140‑2/3, PCI, HIPAA, FedRAMP Moderate+, or similar) and how they shape system design.
Familiarity with IAM policy models (RBAC / ABAC, OpenFGA, OPA/Rego, etc.) and how to integrate fine‑grained authorization into security‑sensitive APIs.
Experience extending encryption and key management across multiple storage domains (object storage, block/file storage, databases, control plane state like etcd) in a coherent way.
Background working in security‑sensitive or regulated environments where auditability, segregation of duties, and key custody requirements are critical.
Contributions to open source cryptography, security tooling, or KMS/client libraries.
Previous US/NATO federal cryptographic security experience is ideal but not necessary.

Responsibilities

Lead the design and evolution of encryption and key lifecycle management products.
Manage encryption and cryptography technology development for services within our Cloud Platform, particularly those for high security and highly regulated customers.
Design and build deep integrations between our Cloud Platform and external key sources (eg, HashiCorp Vault, AWS KMS, HSMs).
Collaborate with other product engineering teams to support the safe use of multicloud key management technology.
Partner with IAM to define unified authorization patterns and policy models for key management APIs with consistent semantics across the resource hierarchy.
Establish SLIs / SLOs for Remote Key Encryption (RKE) and related services, including availability, latency, and durability guarantees for key retrieval and encryption operations.
Partner with the Security Engineering team on threat modeling and corporate strategy to enable the most sensitive AI workloads in the world to be deployed on CoreWeave's infrastructure.
Author and review detailed technical designs and RFCs for new RKE capabilities, mentor other engineers on the team, and provide technical leadership across Security Products and adjacent organizations.