Staff Security Engineer (PKI & Secrets)

TL;DR

Staff Security Engineer (PKI & Secrets): Designing and operating cryptographic infrastructure and secrets management to secure AI workloads across a global fleet with an accent on PKI hierarchies, HSMs, and key management. Focus on scaling certificate lifecycle management, implementing envelope encryption, and ensuring post-quantum cryptography readiness.

Location: Hybrid in Livingston, NJ, New York, NY, Sunnyvale, CA, or Bellevue, WA. Remote may be considered for specialized skill sets if located >30 miles from an office. Must be a U.S. person (citizen, green card holder, etc.) to comply with export control regulations.

Salary: $188,000 – $275,000

Company

hirify.global is a specialized cloud provider delivering high-performance infrastructure designed to enable innovators to build and scale AI.

What you will do

• Design, implement, and operate PKI infrastructure, including CA hierarchies and certificate lifecycle management across Kubernetes and bare-metal hosts.
• Manage secrets management platforms and integrate them using External Secrets Operator and cert-manager.
• Scale HSM infrastructure, including PKCS#11 integration and high-availability designs for signing services.
• Develop key management and data encryption solutions, including envelope encryption and KMS API design.
• Maintain code signing infrastructure for firmware images, container images, and application binaries.
• Establish cryptographic best practices and contribute to post-quantum cryptography readiness.

Requirements

• 8+ years of experience in security or infrastructure engineering.
• Deep understanding of PKI concepts, CA hierarchies, issuance policies, and trust distribution.
• Hands-on production experience operating HashiCorp Vault or similar secrets management platforms.
• Experience with hardware security modules (HSMs) and PKCS#11 interfaces.
• Proficiency in Go or Python for building production-grade tooling and automation.
• Experience with Kubernetes, including cert-manager and trust-manager.

Nice to have

• Experience operating HSM-backed PKI in a cloud provider or hyperscaler environment.
• Familiarity with code signing workflows (Cosign, Sigstore, Authenticode).
• Knowledge of hardware attestation and workload identity (TPM, SPIFFE/SPIRE).
• Exposure to post-quantum cryptography standards.

Culture & Benefits

• 100% company-paid medical, dental, and vision insurance.
• 401(k) with generous employer match and Employee Stock Purchase Program (ESPP).
• Flexible PTO and paid parental leave.
• Comprehensive mental wellness and family-forming support.
• Catered lunch provided daily at office and data center locations.