The Key Management Framework (KMF) is centered around managing Cryptographic modules. Use these modules to select a cryptographic mechanism and define where they're applied on your instance.

Cryptographic modules are the centerpiece of KMF. They define the specific cryptographic mechanisms used for cryptographic operations for a given use case.

For example, you want to secure the data in your Human Resources application with an AES-CBC with a 256-bit symmetric key. You can create a module for that purpose.

Cryptographic modules also support key life-cycle management. You can create and rotate your cryptographic keys, and define your encryption method. Cryptographic modules are composed of the following components:

Cryptographic specification
Defines aspects of your module, including its cryptographic purpose and which algorithms to use.
Cryptographic keys
The key your module uses to encode or decode cryptographic data. This key can be generated by your instance, or a customer-supplied key you create and upload.
Module access policies
Module access policies are the access control mechanisms that place limits on whether data can be encrypted or decrypted.
Module policy exceptions
A control mechanism to define exceptions to a module access policy.

The following screen shows these high-level components in a cryptographic module:

Figure 1. Cryptographic module components
Shows the components of a cryptographic module

For details on creating cryptographic modules, see Create a cryptographic module.