Question
Design a multi-tenant key-management service (KMS) with HSM-backed signing for a cloud platform. It must perform 50K sign/encrypt operations per second, never expose key material outside the HSM boundary, support per-tenant key hierarchies with rotation and versioning, and give a cryptographic audit trail of every operation. Threat model: a compromised application host, a malicious operator, and the requirement that no single person can exfiltrate a customer master key. Cover the key hierarchy, how HSMs are pooled for throughput and HA, rotation without breaking old ciphertext, and the trust boundary.
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.