What you can do

External Key Management Service (EKMS) enables you to maintain direct control over the encryption keys that protect your data within the ServiceNow platform for Field Encryption. Rather than storing keys within the infrastructure, you can generate, store, and manage them in a dedicated key management system. This approach permits you to adopt cloud-based enterprise services while maintaining control over your sensitive data.

EKMS operates by encrypting your sensitive data using keys that reside exclusively in your environment. You maintain authority over key lifecycle operations, including generation, rotation, and revocation allowing you to respond immediately to security events. This permits you to remove keys from your system, rendering your data cryptographically inaccessible.

After configuring EKMS, you need to manage AWS Key Management Service (KMS) key status, monitor synchronization, and maintain access policies. These operational tasks keep your encrypted data secure and accessible to authorized users.

Common tasks

Use EKMS to perform the following operational tasks:

• Enable and disable AWS KMS keys based on security requirements.
• Monitor key status synchronization between AWS and ServiceNow.
• Schedule keys for deletion when retiring encryption configurations.
• Cancel scheduled deletions if keys need to remain active.
• Verify the background synchronization job runs successfully.
• Review access policies as organizational roles change.
• Test encryption functionality after key status changes.
• Coordinate key changes with application teams and administrators.

Use the related links to find information related to these common EKMS tasks.

Key status impact

AWS KMS key status directly affects encryption and decryption operations in ServiceNow. When you change a key's status in AWS, EKMS synchronizes the change automatically every 30 minutes, or you can trigger immediate synchronization. Understanding how status changes impact your data access is critical for maintaining operations.