Product Security Engineer - Cryptography & PKI

Design & manage end-to-end cryptographic services (PKI, key lifecycle)

Stand up HSM infrastructure as the root-of-trust for firmware signing and IoT endpoint authentication

Lead HSM vendor evaluation, procurement, installation, configuration and integration

Architect key management at scale—from hundreds of devices today to 1 million+ over time

Design remote device attestation mechanisms (fTPM/OP-TEE or equivalent) tied back to the HSM root-of-trust

Build and automate secure firmware/bootloader signing pipelines

Define trust infrastructure and author key-generation, provisioning, rotation and destruction processes

Secure build/artifact pipelines, code-signing workflows

Develop factory provisioning architecture for mass key/certificate distribution

Support the development of secure communication protocols

Collaborate as an individual contributor with ProdSec, Cloud Infra, device and SecOps teams

Requirements

• Experience deploying and operating HSM appliances
• Experience architecting PKI for large-scale IoT deployments
• Strong knowledge of device attestation flows (fTPM/OP-TEE or similar)
• Linux proficiency and scripting (Python, Bash) for CA, HSM and provisioning automation
• Solid secure firmware signing and code-integrity practices
• Ability to create, enforce, and document robust crypto-process playbooks, including the development and maintenance of Certificate Policies (CP) and Certification Practice Statements (CPS) to support enterprise PKI governance.

Nice To Have:

• Vendor-specific HSM credentials or labs (Thales, Utimaco, AWS CloudHSM)
• NVIDIA Orin or similar SoC platform experience
• Background in post-quantum crypto evaluation and migration planning
• Familiarity with large-scale factory provisioning tools (KMIP gateways, ACME/SCEP)
• ProdSec/supply-chain security expertise (SBOMs, CI/CD hardening)
• Experience in C/C++/Rust/GoLang (in addition to Python / Bash)

• Golang Preferred

• Additional Security Certifications