Key Manager
Configure the Trust Domain Server to generate and use signing keys inside an external KMS or HSM. With a Key Manager configured, private signing key material is created and stored within the external service — the Trust Domain Server never receives or holds the private key bytes. Every signing operation is a call to the KMS, which returns a signature without exposing the key.
By default, signing keys are generated by the Trust Domain Server and stored in a Kubernetes CRD (encrypted at rest by a Key Encrypting Key). The pages below describe how to move key generation and signing into an external service so that signing key material never exists outside the KMS boundary.
Key Manager is configured through Managed Config using the KeyManager section, applied per trust domain deployment. Changes take effect automatically. No server or agent restart is required.
A Key Manager eliminates the window in which signing keys exist in server memory, but it introduces a runtime dependency: The KMS must be reachable for every SVID issuance. If your primary concern is protecting stored key material rather than removing keys from server memory, configure Key Wrapping instead. Key Wrapping encrypts signing keys at rest without changing where signing operations happen.
For an in-depth look at how key management works and guidance on choosing the right approach, see the Signing Key Management Guide.
AWS KMS
Store signing keys in AWS KMS.
Azure Key Vault
Store signing keys in Azure Key Vault.
Extension (Custom)
Integrate any KMS or HSM via webhook.
GCP Cloud KMS
Store signing keys in Google Cloud KMS.