Senior Security Engineer, PKI & Secrets

About The Position

Requirements

• (5)+ years of experience in security engineering or infrastructure engineering.
• Strong understanding of PKI concepts including CA hierarchies, certificate profiles, issuance policies, revocation, and trust distribution.
• Hands-on experience operating HashiCorp Vault or similar secrets management platforms in production.
• Experience with hardware security modules (HSMs), PKCS#11 interfaces, and key ceremony procedures.
• Solid understanding of applied cryptography: symmetric and asymmetric algorithms, digital signatures, envelope encryption, and TLS.
• Proficiency in Go, Python, or similar languages, with the ability to build production tooling and automation.
• Experience with Kubernetes, including cert-manager, trust-manager, or External Secrets Operator.
• Demonstrated ability to drive cross-functional initiatives across infrastructure, platform, and product teams.

Nice To Haves

• Experience operating PKI backed by HSMs in a cloud provider or hyperscaler environment.
• Familiarity with code signing workflows (Authenticode, Cosign/Sigstore, transparency logs, timestamping).
• Experience with KMS design, including customer-managed keys and multi-tenant key isolation.
• Understanding of hardware attestation and workload identity (TPM, SPDM, SPIFFE/SPIRE).
• Exposure to post-quantum cryptography standards and migration planning.

Responsibilities

• Contribute to the design, implementation, and operation of CoreWeave's PKI infrastructure, including CA hierarchies, issuance policies, certificate lifecycle management, and trust distribution across Kubernetes clusters and bare-metal hosts.
• Manage and evolve secrets management platforms, including access policies, secret lifecycle governance, and integration patterns using External Secrets Operator and cert-manager.
• Operate and scale HSM infrastructure, including PKCS#11 integration, key ceremony procedures, and high-availability designs backing our certificate authorities and signing services.
• Contribute to the design of key management and data encryption solutions for internal and customer-facing use cases, including envelope encryption and KMS API design.
• Deliver PKI-based solutions supporting workload identity, mutual TLS, and hardware attestation.
• Maintain and extend code signing infrastructure for firmware images, UEFI binaries, container images, and application binaries.
• Develop and enforce cryptographic best practices and policies, and contribute to post-quantum cryptography readiness.

Benefits

• Medical, dental, and vision insurance - 100% paid for by CoreWeave
• Company-paid Life Insurance
• Voluntary supplemental life insurance
• Short and long-term disability insurance
• Flexible Spending Account
• Health Savings Account
• Tuition Reimbursement
• Ability to Participate in Employee Stock Purchase Program (ESPP)
• Mental Wellness Benefits through Spring Health
• Family-Forming support provided by Carrot
• Paid Parental Leave
• Flexible, full-service childcare support with Kinside
• 401(k) with a generous employer match
• Flexible PTO
• Catered lunch each day in our office and data center locations
• A casual work environment
• A work culture focused on innovative disruption