Product Security Engineer - Cryptography & PKI

• Design & manage end-to-end cryptographic services (PKI, key lifecycle)

• Stand up HSM infrastructure as the root-of-trust for firmware signing and IoT endpoint authentication

• Lead HSM vendor evaluation, procurement, installation, configuration and integration

• Architect key management at scale—from hundreds of devices today to 1 million+ over time

• Design remote device attestation mechanisms (fTPM/OP-TEE or equivalent) tied back to the HSM root-of-trust

• Build and automate secure firmware/bootloader signing pipelines

• Define trust infrastructure and author key-generation, provisioning, rotation and destruction processes

• Secure build/artifact pipelines, code-signing workflows

• Develop factory provisioning architecture for mass key/certificate distribution

• Support the development of secure communication protocols

• Collaborate as an individual contributor with ProdSec, Cloud Infra, device and SecOps teams

• Experience deploying and operating HSM appliances

• Experience architecting PKI for large-scale IoT deployments

• Strong knowledge of device attestation flows (fTPM/OP-TEE or similar)

• Linux proficiency and scripting (Python, Bash) for CA, HSM and provisioning automation

• Solid secure firmware signing and code-integrity practices

• Ability to create, enforce, and document robust crypto-process playbooks, including the development and maintenance of Certificate Policies (CP) and Certification Practice Statements (CPS) to support enterprise PKI governance.

Nice to Have:

• Vendor-specific HSM credentials or labs (Thales, Utimaco, AWS CloudHSM)

• NVIDIA Orin or similar SoC platform experience

• Background in post-quantum crypto evaluation and migration planning

• Familiarity with large-scale factory provisioning tools (KMIP gateways, ACME/SCEP)

• ProdSec/supply-chain security expertise (SBOMs, CI/CD hardening)

• Experience in C/C++/Rust/GoLang (in addition to Python / Bash)

• GoLang preferred

• Additional security certifications