External Key Management Service (EKMS) enables you to maintain direct control over the encryption keys that protect your data within the ServiceNow platform. Rather than storing keys within the infrastructure, you can generate, store, and manage them in a dedicated key management system. This approach permits you to adopt cloud-based enterprise services while maintaining control over your sensitive data.

You maintain authority over key lifecycle operations, including generation, rotation, and revocation allowing you to respond immediately to security events. This permits you to remove keys from your system, rendering your data cryptographically inaccessible.

Supported Providers

Currently, EKMS supports AWS Key Management Service (AWS KMS). Future releases will include support for additional key management providers.

Key Limitations

• Only one EKMS configuration can be created per instance.
• Multiple EKMS configurations are not supported.
• Multiple external keys cannot be used simultaneously.

How EKMS Works

EKMS uses a key wrapping chain to secure data:

1. A Key Encryption Key (KEK) is generated in the ServiceNow instance.
2. The KEK is wrapped using an AWS KMS key.
3. The wrapped KEK is stored in the External Instance Keys table.
4. The Data Encryption Keys (DEKs) for a cryptographic module are then wrapped by the externally wrapped KEK.
5. Field data is encrypted using the cryptographic (crypto) module's DEKs.

This architecture ensures that the ServiceNow instance never has direct access to decrypt the data without access to the external key.

Key Status Synchronization

A background job runs every 30 minutes to synchronize the AWS key status with your instance. This default frequency is configurable if you need a different synchronization interval. The synchronization ensures that key state changes in AWS (enabled, disabled, pending deletion, deleted) are reflected in your instance.

Automatic Key Rewrapping After AWS Key Rotation

When you rotate your AWS KMS key, EKMS automatically detects the rotation and rewraps your External Key Encryption Key (EKEK). The EKEK itself isn't rotated, but it's rewrapped with the new rotated AWS key. This automatic process maintains the security of your encryption chain without requiring manual intervention or causing service interruption.

Integration with Field Encryption Enterprise

EKMS integrates with Field Encryption Enterprise functionality through cryptographic modules. The crypto module is where you configure and manage the connection to your external KMS, linking your AWS KMS key to ServiceNow encryption operations. When you create an Encrypted Field Configuration (EFC), you specify which table and column should be encrypted, and which cryptographic module with external key wrapping should protect that data.

Access Control

Module Access Policies (MAPs) determine which user roles can view encrypted data in clear text. Users without the proper role assignments will not be able to decrypt and view the protected information, even if they have access to the table.

Get started

Activation information

To activate Platform Encryption External Key Management Service, you must first purchase a subscription to the service and its dependencies: Field Encryption Enterprise and Key Management Framework Scoped App.

The ServiceNow Platform Encryption subscription bundle is a group commercial entitlement that includes Key Management Framework, Field Encryption Enterprise, Cloud Encryption, and Database Encryption.

Field Encryption Enterprise is the unlimited license of Field Encryption. The Field Encryption Enterprise plugin is available with the activation of the com.glide.now.platform.encryption plugin. For details, see Encryption and Key Management subscription bundle.