Exploring the Key Management Framework

  • リリースバージョン: Australia
  • 更新日 2026年03月12日
  • 所要時間:7分

    • Learn about the components of the Key Management Framework (KMF), and how to use them to manage how cryptographic operations are performed on your instance.

    Components of the Key Management Framework

    KMF configuration overview
    Key Management Framework consists of the following components.
    Cryptographic modules

    KMF is centered around managing cryptographic modules. These modules act as the parent record for the other components. They define what data on your instance is encrypted, and what method of encryption to use. Using multiple modules, you can encrypt different areas of your instance with different specifications.

    For example, you can create a module to secure the data in your Human Resources application to users with a specific role. You could then create another module to encrypt Incident descriptions which are visible to certain users based on a script you create.

    Module access policies are found by navigating to All > Key Management > Cryptographic Modules > All. For more information on these modules, see Cryptographic module overview.

    Module keys

    Cryptographic keys are strings of characters used in cryptography. When used together with a cryptographic algorithm, they can encode or decode your data. These keys are used by the cryptographic specifications assigned to your modules. You can choose to use a key generated by ServiceNow, or upload your own key.

    You can access the module keys for a cryptographic module in the Module Keys related list in cryptographic module records. For more information on module keys, see Instance level keys in the Key Management Framework.

    Cryptographic specifications

    A cryptographic specification defines algorithms used to encrypt your data. These algorithms use a cryptographic key to encode or decode your data. Assigning a cryptographic specification to the module determines how the data assigned to that module is encrypted.

    You can access the module keys for a cryptographic module in the Crypto Specifications related list in cryptographic module records. For more information on module keys, see Cryptographic specification overview.

    Module access policies

    Module access policies (MAPs) are the access controls you apply to your cryptographic modules. Use these policies to determine which users and scripts can access data encrypted by a cryptographic module.

    Find module access policies by selecting the View access policies link in cryptographic module records. For more information, see Module access policy overview.

    Key Management Framework workflow

    1. Assign KMF roles
    Administrators must begin by assigning themselves the sn_kmf.admin role. This role enables you to use KMF features and assign KMF roles to other users.
    2. Configure KMF settings
    Configure your field encryption settings to select either supplied keys or your own customer-supplied keys (CSK) for encryption.
    3.Create cryptographic modules
    Use cryptographic modules to select a set of data on your instance to be encrypted. In later steps, you assign a cryptographic specification to determine how to encrypt this data, and a module access policy to determine who can decrypt the data.
    4. Create a cryptographic specification
    The cryptographic specification defines a method of encryption. Once assigned to a module, it defines how the data assigned to that module is encrypted.
    5. Create module access policies
    After creating modules to secure your data, create module access policies to control which users and scripts are able to access the encrypted data.
    6. Create a cryptographic module life-cycle policy
    These policies place limits on cryptographic modules, such as how long a cryptographic key is valid. These policies can safeguard your cryptographic modules by limiting their exposure.

    Key Management Framework benefits

    Benefit Feature Users
    Protect your sensitive and proprietary data. Encryption and key Management All
    Maintain compliance with NIST 800-57 guidelines. These guidelines are provided by the National Institute of Standards and Technology to reduce cybersecurity risk to your networks and data. Encryption and key Management Security administrators
    Use the Key Management Framework to generate, upload, view, and manage your cryptographic keys. Use key rotation for manual or scheduled rotation of your keys for increased security. Key Management Framework Security administrators