Exploring the Key Management Framework

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring the Key Management Framework

    The Key Management Framework (KMF) in ServiceNow Zurich release enables customers to manage cryptographic operations to secure sensitive data on their instance. It provides a structured approach to define what data is encrypted, how it is encrypted, and who can access it. KMF supports the use of multiple cryptographic modules to apply different encryption methods to various data sets, enhancing data protection and compliance.

    Show full answer Show less

    Key Components

    • Cryptographic Modules: These act as parent records that define the scope of encrypted data and specify the encryption methods used. Multiple modules allow encryption tailored to different data areas and user access controls.
    • Module Keys: Cryptographic keys used with algorithms to encode or decode data. Users can generate keys within ServiceNow or upload their own. Keys are associated with modules to enable encryption.
    • Cryptographic Specifications: Define the encryption algorithms and methods applied within a cryptographic module, determining how data is encrypted.
    • Module Access Policies (MAPs): Control access by specifying which users or scripts can decrypt data encrypted by a cryptographic module, ensuring secure and role-based data visibility.

    Workflow for Using the Key Management Framework

    1. Assign KMF Roles: Administrators assign themselves the snkmf.admin role to enable use of KMF features and role assignments.
    2. Configure KMF Settings: Set up field encryption preferences, choosing between ServiceNow-supplied keys or customer-supplied keys (CSK).
    3. Create Cryptographic Modules: Define data sets on the instance to encrypt.
    4. Create Cryptographic Specifications: Assign encryption methods to modules.
    5. Create Module Access Policies: Specify user and script access to encrypted data.
    6. Create Cryptographic Module Life-cycle Policies: Set limits on key validity and exposure to enhance security.

    Benefits for ServiceNow Customers

    • Data Protection: Secure sensitive and proprietary data through robust encryption and access control.
    • Compliance: Align with NIST 800-57 cybersecurity guidelines to reduce risk and maintain regulatory compliance.
    • Key Management: Generate, upload, view, and manage cryptographic keys with options for manual or scheduled key rotation to maintain encryption strength.

    Additional Details

    The framework supports envelope encryption to protect platform keys through a chain of keys, including Customer Data Encryption Keys (CDEKs). This layered key structure enhances key security and management within the platform.

    Access to cryptographic modules, keys, specifications, and access policies is managed through the ServiceNow interface under All > Key Management > Cryptographic Modules, providing centralized control over encryption settings.

    Learn about the components of the Key Management Framework (KMF), and how to use them to manage how cryptographic operations are performed on your instance.

    Components of the Key Management Framework

    KMF configuration overview
    Key Management Framework consists of the following components.
    Cryptographic modules

    KMF is centered around managing cryptographic modules. These modules act as the parent record for the other components. They define what data on your instance is encrypted, and what method of encryption to use. Using multiple modules, you can encrypt different areas of your instance with different specifications.

    For example, you can create a module to secure the data in your Human Resources application to users with a specific role. You could then create another module to encrypt Incident descriptions which are visible to certain users based on a script you create.

    Module access policies are found by navigating to All > Key Management > Cryptographic Modules > All. For more information on these modules, see Cryptographic module overview.

    Module keys

    Cryptographic keys are strings of characters used in cryptography. When used together with a cryptographic algorithm, they can encode or decode your data. These keys are used by the cryptographic specifications assigned to your modules. You can choose to use a key generated by ServiceNow, or upload your own key.

    You can access the module keys for a cryptographic module in the Module Keys related list in cryptographic module records. For more information on module keys, see Instance level keys in the Key Management Framework.

    Cryptographic specifications

    A cryptographic specification defines algorithms used to encrypt your data. These algorithms use a cryptographic key to encode or decode your data. Assigning a cryptographic specification to the module determines how the data assigned to that module is encrypted.

    You can access the module keys for a cryptographic module in the Crypto Specifications related list in cryptographic module records. For more information on module keys, see Cryptographic specification overview.

    Module access policies

    Module access policies (MAPs) are the access controls you apply to your cryptographic modules. Use these policies to determine which users and scripts can access data encrypted by a cryptographic module.

    Find module access policies by selecting the View access policies link in cryptographic module records. For more information, see Module access policy overview.

    Key Management Framework workflow

    1. Assign KMF roles
    Administrators must begin by assigning themselves the sn_kmf.admin role. This role enables you to use KMF features and assign KMF roles to other users.
    2. Configure KMF settings
    Configure your field encryption settings to select either supplied keys or your own customer-supplied keys (CSK) for encryption.
    3.Create cryptographic modules
    Use cryptographic modules to select a set of data on your instance to be encrypted. In later steps, you assign a cryptographic specification to determine how to encrypt this data, and a module access policy to determine who can decrypt the data.
    4. Create a cryptographic specification
    The cryptographic specification defines a method of encryption. Once assigned to a module, it defines how the data assigned to that module is encrypted.
    5. Create module access policies
    After creating modules to secure your data, create module access policies to control which users and scripts are able to access the encrypted data.
    6. Create a cryptographic module life-cycle policy
    These policies place limits on cryptographic modules, such as how long a cryptographic key is valid. These policies can safeguard your cryptographic modules by limiting their exposure.

    Key Management Framework benefits

    Benefit Feature Users
    Protect your sensitive and proprietary data. Encryption and key Management All
    Maintain compliance with NIST 800-57 guidelines. These guidelines are provided by the National Institute of Standards and Technology to reduce cybersecurity risk to your networks and data. Encryption and key Management Security administrators
    Use the Key Management Framework to generate, upload, view, and manage your cryptographic keys. Use key rotation for manual or scheduled rotation of your keys for increased security. Key Management Framework Security administrators