Cryptographic module overview
The Key Management Framework (KMF) is centered around managing Cryptographic modules. Use these modules to select a cryptographic mechanism and define where they're applied on your instance.
Cryptographic modules are the centerpiece of KMF. They define the specific cryptographic mechanisms used for cryptographic operations for a given use case.
For example, you want to secure the data in your Human Resources application with an AES-CBC with a 256-bit symmetric key. You can create a module for that purpose.
Cryptographic modules also support key life-cycle management. You can create and rotate your cryptographic keys, and define your encryption method. Cryptographic modules are composed of the following components:
- Cryptographic specification
- Defines which algorithm to use for encryption, and where the key will come from. All keys use the Advanced Encryption Standard with Cipher Block Chaining (AES CBC), but you can select either 128 or 256 bit. This
specification covers both asymmetric and symmetric key-based cryptographic operations.注:Symmetric encryption uses a single key for both encryption and decryption. Asymmetric encryption uses a pair of keys, a public key for encryption and a private key for decryption.
- Cryptographic keys
- The key your module uses to encode or decode cryptographic data. This key can be generated by your instance, or a customer-supplied key you create and upload.
- Module access policies
- Module access policies are the access control mechanisms that place limits on whether data can be encrypted or decrypted.
- Module policy exceptions
- A control mechanism to define exceptions to a module access policy.
The following screen shows these high-level components in a cryptographic module:
For details on creating cryptographic modules, see Create a cryptographic module.