Principal Engineer, Security Products - Cryptography and Key Lifecycle Management

CoreWeave is The Essential Cloud for AI™. Built for pioneers by pioneers, CoreWeave delivers a platform of technology, tools, and teams that enables innovators to build and scale AI with confidence. Trusted by leading AI labs, startups, and global enterprises, CoreWeave combines superior infrastructure performance with deep technical expertise to accelerate breakthroughs and turn compute into capability. Founded in 2017, CoreWeave became a publicly traded company (Nasdaq: CRWV) in March 2025. Learn more at

The Security Products organization at CoreWeave builds the identity, encryption, and self-managed security integrations that protect AI workloads and data across our cloud platform. If you are passionate about building foundational security primitives that enable enterprises and the top AI labs in the world to deploy regulated and security-sensitive workloads at extreme scale, this is the team to join!

About the role

CoreWeave is seeking a Staff or Principal Engineer for our Security Products team to lead the technical direction and implementation of encryption and key lifecycle management In this role, you'll design and evolve the key lifecycle management, encryption control planes, algorithm/library selection, and systems integrations that allow CoreWeave customers to deploy sensitive, high security AI workloads and data. You'll partner closely with teams across CoreWeave to develop customer-driven cryptography technology. Your day-to-day will blend hands-on system design and coding with cross-team technical leadership, design reviews, and roadmap shaping for Security Products.

In this role, you will:

• Lead the design and evolution of encryption and key lifecycle management products.
• Manage encryption and cryptography technology development for services within our Cloud Platform, particularly those for high security and highly regulated customers.
• Design and build deep integrations between our Cloud Platform and external key sources (eg, HashiCorp Vault, AWS KMS, HSMs).
• Collaborate with other product engineering teams to support the safe use of multicloud key management technology.
• Partner with IAM to define unified authorization patterns and policy models for key management APIs with consistent semantics across the resource hierarchy.
• Establish SLIs / SLOs for Remote Key Encryption (RKE) and related services, including availability, latency, and durability guarantees for key retrieval and encryption operations.
• Partner with the Security Engineering team on threat modeling and corporate strategy to enable the most sensitive AI workloads in the world to be deployed on CoreWeave's infrastructure.
• Author and review detailed technical designs and RFCs for new RKE capabilities, mentor other engineers on the team, and provide technical leadership across Security Products and adjacent organizations.

Who You Are

• 12+ years of experience building and operating distributed backend systems in production, including ownership of reliability and security outcomes for critical services.
• Deep experience with encryption at rest and key management systems, including envelope encryption patterns, key hierarchies and secure key lifecycle management.
• Hands-on experience integrating with at least one major KMS or secrets manager (e.g., AWS KMS, HashiCorp Vault, Azure Key Vault, GCP KMS, HSMs), including designing APIs and workflows around those systems.
• Strong proficiency in a systems programming language such as Go (preferred) or Rust, with experience building networked services (gRPC / REST) in a Linux / Kubernetes environment.
• Solid understanding of applied cryptography concepts relevant to data-at-rest protection (AES-GCM/CTR, key wrapping, KDFs, randomness requirements, envelope encryption, and key separation) with the ability to reason about threat models and failure modes with Security partners.
• Experience designing and operating multi-tenant services with strong isolation and authorization semantics across customers and internal tenants.
• Demonstrated track record of leading cross-team technical initiatives, driving projects from problem statement through rollout, alignment, and operational readiness.
• Strong operational experience defining SLIs / SLOs, building dashboards and alerts, and partnering with SRE / Production Engineering on incident response and post-incident improvement.
• Excellent written and verbal communication skills with the ability to produce clear, opinionated design docs that influence Senior Engineers, PMs, and Security stakeholders through context setting and sound technical judgment

Preferred (if applicable)

• Prior experience designing or implementing remote or externalized key management for cloud storage, databases, or filesystems (e.g., BYOK/BYOKMS, customer-managed keys, envelope encryption for S3-like object storage).
• Experience with hardware-backed key management (HSMs) and cryptographic compliance regimes (FIPS 140-2/3, PCI, HIPAA, FedRAMP Moderate+, or similar) and how they shape system design.
• Familiarity with IAM policy models (RBAC / ABAC, OpenFGA, OPA/Rego, etc.) and how to integrate fine-grained authorization into security-sensitive APIs.
• Experience extending encryption and key management across multiple storage domains (object storage, block/file storage, databases, control plane state like etcd) in a coherent way.
• Background working in security-sensitive or regulated environments where auditability, segregation of duties, and key custody requirements are critical.
• Contributions to open source cryptography, security tooling, or KMS/client libraries.
• Previous US/NATO federal cryptographic security experience is ideal but not necessary.

Wondering if you're a good fit?

We believe in investing in our people, and value candidates who can bring their own diversified experiences to our teams - even if you aren't a 100% skill or experience match. Here are a few qualities we've found compatible with our team. If some of this describes you, we'd love to talk.

• You care deeply about getting the cryptographic and operational details right, and you're comfortable saying "no" to shortcuts that weaken security or key custody guarantees.
• You're excited by the challenge of building foundational security primitives that other product teams and large enterprises will build on for years.
• You enjoy working at the intersection between Platform, Storage, IAM, and Security Engineering, and you can translate between those domains without losing the plot.
• You're skilled at turning complex requirements for highly regulated customers into simple, reliable, well-documented APIs and workflows.
• You're comfortable operating in a fast-moving environment, iterating quickly while still holding a high bar for design review, testing, and safe rollout of security-sensitive changes.

The base salary range for this role is $206,000 to $303,000. The starting salary will be determined based on job-related knowledge, skills, experience, and market location. We strive for both market alignment and internal equity when determining compensation. In addition to base salary, our total rewards package includes a discretionary bonus, equity awards, and a comprehensive benefits program (all based on eligibility).


What We Offer

The range we've posted represents the typical compensation range for this role. To determine actual compensation, we review the market rate for each candidate which can include a variety of factors. These include qualifications, experience, interview performance, and location.

In addition to a competitive salary, we offer a variety of benefits to support your needs. The benefits below reflect our US-based offerings; for roles in other locations, benefits vary and are shared during the hiring process. These include:

• Medical, dental, and vision insurance - 100% paid for by CoreWeave
• Company-paid Life Insurance
• Voluntary supplemental life insurance
• Short and long-term disability insurance
• Flexible Spending Account
• Health Savings Account
• Tuition Reimbursement
• Ability to Participate in Employee Stock Purchase Program (ESPP)
• Mental Wellness Benefits through Spring Health
• Family-Forming support provided by Carrot
• Paid Parental Leave
• Flexible, full-service childcare support with Kinside
• 401(k) with a generous employer match
• Flexible PTO
• Catered lunch each day in our office and data center locations
• A casual work environment
• A work culture focused on innovative disruption

California Applicants

California Consumer Privacy Act


Equal Opportunity & Accommodations

CoreWeave is an equal opportunity employer, committed to fostering an inclusive and supportive workplace. All qualified applicants and candidates will receive consideration for employment without regard to race, color, religion, sex, disability, age, sexual orientation, gender identity, national origin, veteran status, or genetic information.

As part of this commitment and consistent with the Americans with Disabilities Act (ADA), CoreWeave will ensure that qualified applicants and candidates with disabilities are provided reasonable accommodations for the hiring process, unless such accommodation would cause an undue hardship. If reasonable accommodation is needed, please contact: View email address on click.appcast.io.

Export Control Compliance

This position requires access to export controlled information. To conform to U.S. Government export regulations applicable to that information, applicant must either be (A) a U.S. person, defined as a (i) U.S. citizen or national, (ii) U.S. lawful permanent resident (green card holder), (iii) refugee under 8 U.S.C. § 1157, or (iv) asylee under 8 U.S.C. § 1158, (B) eligible to access the export controlled information without a required export authorization, or (C) eligible and reasonably likely to obtain the required export authorization from the applicable U.S. government agency. CoreWeave may, for legitimate business reasons, decline to pursue any export licensing process.