Exploring the Key Management Framework

Release version: Australia

Updated March 12, 2026

3 minutes to read

Summarize

Summarized using AI

Summary of Exploring the Key Management Framework

The Key Management Framework (KMF) enables ServiceNow customers to manage cryptographic operations effectively, ensuring secure data encryption across their instances. It consists of several key components, including cryptographic modules, keys, specifications, and access policies, which together facilitate the management of sensitive information.

Show full answer Show less

Key Features

Cryptographic Modules: Serve as parent records for encryption, defining which data is encrypted and the encryption methods used. Multiple modules can be created for different data areas, such as Human Resources or Incident descriptions.
Module Keys: Strings used in conjunction with cryptographic algorithms to encode and decode data. Keys can be generated by ServiceNow or uploaded by users.
Cryptographic Specifications: Define the algorithms for data encryption and are assigned to modules to dictate how data is encrypted.
Module Access Policies (MAPs): Controls that specify which users and scripts can access encrypted data, enhancing security and compliance.

Key Outcomes

By implementing the KMF, customers can:

Protect sensitive data through robust encryption and key management.
Maintain compliance with industry standards, such as NIST 800-57, reducing cybersecurity risks.
Utilize key rotation features for enhanced security management of cryptographic keys.

Following the KMF workflow—from role assignment to policy creation—ensures effective management of cryptographic processes, safeguarding critical information across your organization.

Learn about the components of the Key Management Framework (KMF), and how to use them to manage how cryptographic operations are performed on your instance.

Components of the Key Management Framework

Key Management Framework consists of the following components.

Cryptographic modules

KMF is centered around managing cryptographic modules. These modules act as the parent record for the other components. They define what data on your instance is encrypted, and what method of encryption to use. Using multiple modules, you can encrypt different areas of your instance with different specifications.

For example, you can create a module to secure the data in your Human Resources application to users with a specific role. You could then create another module to encrypt Incident descriptions which are visible to certain users based on a script you create.

Module access policies are found by navigating to All > Key Management > Cryptographic Modules > All. For more information on these modules, see Cryptographic module overview.

Module keys

Cryptographic keys are strings of characters used in cryptography. When used together with a cryptographic algorithm, they can encode or decode your data. These keys are used by the cryptographic specifications assigned to your modules. You can choose to use a key generated by ServiceNow, or upload your own key.

You can access the module keys for a cryptographic module in the Module Keys related list in cryptographic module records. For more information on module keys, see Instance level keys in the Key Management Framework.

Cryptographic specifications

A cryptographic specification defines algorithms used to encrypt your data. These algorithms use a cryptographic key to encode or decode your data. Assigning a cryptographic specification to the module determines how the data assigned to that module is encrypted.

You can access the module keys for a cryptographic module in the Crypto Specifications related list in cryptographic module records. For more information on module keys, see Cryptographic specification overview.

Module access policies

Module access policies (MAPs) are the access controls you apply to your cryptographic modules. Use these policies to determine which users and scripts can access data encrypted by a cryptographic module.

Find module access policies by selecting the View access policies link in cryptographic module records. For more information, see Module access policy overview.

Key Management Framework workflow

1. Assign KMF roles: Administrators must begin by assigning themselves the sn_kmf.admin role. This role enables you to use KMF features and assign KMF roles to other users.
2. Configure KMF settings: Configure your field encryption settings to select either supplied keys or your own customer-supplied keys (CSK) for encryption.
3.Create cryptographic modules: Use cryptographic modules to select a set of data on your instance to be encrypted. In later steps, you assign a cryptographic specification to determine how to encrypt this data, and a module access policy to determine who can decrypt the data.
4. Create a cryptographic specification: The cryptographic specification defines a method of encryption. Once assigned to a module, it defines how the data assigned to that module is encrypted.
5. Create module access policies: After creating modules to secure your data, create module access policies to control which users and scripts are able to access the encrypted data.
6. Create a cryptographic module life-cycle policy: These policies place limits on cryptographic modules, such as how long a cryptographic key is valid. These policies can safeguard your cryptographic modules by limiting their exposure.

Key Management Framework benefits


Benefit	Feature	Users
Protect your sensitive and proprietary data.	Encryption and key Management	All
Maintain compliance with NIST 800-57 guidelines. These guidelines are provided by the National Institute of Standards and Technology to reduce cybersecurity risk to your networks and data.	Encryption and key Management	Security administrators
Use the Key Management Framework to generate, upload, view, and manage your cryptographic keys. Use key rotation for manual or scheduled rotation of your keys for increased security.	Key Management Framework	Security administrators