Code Room
System designHard
Question
Design a key-management service (KMS) for a cloud platform that provides encryption keys to thousands of internal services and customer-managed-key (BYOK) tenants for encrypting data at rest. It must do envelope encryption at 200k cryptographic ops/sec with p99 under 10ms, support customer-controlled key rotation and revocation (a customer revoking their key must render their data unreadable), and keep root key material inside HSMs. Cover the key hierarchy, envelope encryption, rotation, and the BYOK trust/revocation model.
What a strong answer looks like
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.
Learn the concepts
Loading whiteboard…
Run or narrate your approach, then ask the coach.