The Key Management Framework (KMF) architecture introduces a key structure built with security in mind. Using a Hardware Security Module (HSM), KMF uses envelope encryption to ensure that all platform keys under KMF management are protected through a chain of keys. Customer Data Encryption Keys (CDEKs) created by KMF are also included.

At the instance level, KMF defines several keys that are used internally for varying cryptographic purposes throughout the ServiceNow AI Platform.

Envelope encryption is the practice of encrypting a key with another key. The following figure provides an example of the envelope encryption. Here, CDEKs are envelope encrypted by the IKEK, which in turn is envelope encrypted by the IRK, which is finally envelope encrypted by the RK. Since the IRK can only be accessed by the HSM, the IKEK must be uploaded for decryption.

This table provides examples of a subset of available customer/app keys that are managed and protected by KMF.

KeyLocationDescription
Root Key (RK) Hardware Security Model (HSM) Root key used to decrypt the IRK.
Instance Root Key (IRK) HSM A key unique to your instance that is used to envelope-encrypt several instance internal keys.
Instance HMAC Key (IHK) Instance Unique per instance, the IHK is used internally for Hash-Based Message Authentication Code (HMAC) purposes.

The IHK helps to verify the authenticity and integrity of module keys and is wrapped on either KeySecure or the File Key Store.
Instance Key Encryption Key (IKEK) Instance

The IKEK wraps the module keys and is wrapped on either KeySecure or the File Key Store.
Instance Asymmetric Encryption Key (IAEK) Instance A key unique to your instance that is used internally for asymmetric encryption purposes.

The IAEK is used to transmit confidential messages between an instance during Key Exchange or Instance Data Replication consumer approval.
Instance Signature Key (ISK) Instance A key unique to your instance that is used internally for signing purposes.
Password2 (PW2) Instance With KMF, the key for PW2 fields is fully managed by KMF.
Customer Data Encryption Key (CDEK) Instance Encryption keys created through KMF are envelope-encrypted by the IKEK.
Instance Data Replication (IDR) Data Encryption Key (DEK) Instance Specific encryption keys used for the IDR process.