Cryptographic modules are the centerpiece of Key Management Framework (KMF). They define the specific cryptographic mechanisms used for cryptographic operations for a given use case.

A cryptographic module applies the cryptographic mechanism of your choice to a use case that you define. For example, if you wanted to secure the data in your HR application with an AES-CBC with a 256-bit symmetric key, you can create a module for that purpose.

Cryptographic modules also support key life-cycle management. You can create and rotate your cryptographic keys, and define your encryption method. Cryptographic modules are composed of the following components:

Cryptographic specification
Defines aspects of your module, including its cryptographic purpose and which algorithms to use.
Cryptographic keys
The key your module uses to encode or decode cryptographic data. This can be a key generated by your instance, or a customer-supplied key you create and upload.
Module access policies
Module access policies are the access control mechanisms that place limits on whether data can be encrypted or decrypted.
Module policy exceptions
A control mechanism to define exceptions to a module access policy.

The following screen shows these high-level components in a cryptographic module:

Figure 1. Cryptographic module components
Shows the components of a cryptographic module

For details on creating cryptographic modules, see Create a cryptographic module.