External Key Management Service and instance automation
Understand requirements and limitations for instance automation operations when External Key Management Service is enabled.
When External Key Management Service (EKMS) is enabled on your instance, you must plan for instance automation operations such as cloning, backup and restore, copying, moving, and toggling between instances. These operations require compatible EKMS configurations between source and target instances to succeed.
You can't clone or restore externally encrypted data unless the target instance can access the same external encryption key. The preflight check validates EKMS compatibility before instance automation operations begin. If configurations are incompatible, the operation is blocked and you must follow the manual resolution steps in KB2540187.
Instance automation compatibility
| Source instance | Target instance | Result |
|---|---|---|
| No EKMS | No EKMS | Supported |
| EKMS in use | Supports EKMS | Supported |
| EKMS in use | Older release without EKMS support | Supported |
| Older release without EKMS support | Supports EKMS but not configured | Supported |
| Supports EKMS | Older release without EKMS support | Supported |
| EKMS configured | EKMS with matching configuration and key wrapping strategy | Supported |
| EKMS configured | EKMS with compatible configuration | Supported |
| EKMS configured with key status not ACTIVE | Any | Blocked- see Key status requirements below |
| EKMS configured | EKMS with different configuration | Blocked- see KB2540187 |
| Internal key wrapping | External key wrapping | Blocked- see KB2540187 |
| EKMS configured | EKMS with different configuration or wrapping strategy | Blocked- see KB2540187 |
| EKMS present but not configured | EKMS in use | Blocked- see KB2540187 |
| Older release without EKMS support | EKMS configured | Blocked- see KB2540187 |
| Supports EKMS but not configured | EKMS configured | Blocked- see KB2540187 Activate EKMS on source first. |
| EKMS configured | EKMS with incompatible configuration | Blocked- see KB2540187 |
Key status requirements
Instance automation operations require that your AWS KMS key status isACTIVE. If the external key status isn'tACTIVE, cryptographic operations may fail during or after the instance automation operation.
- Verify the key status in your EKMS Configuration shows as ACTIVE.
- Don't proceed with instance automation while the key status is disabled, pending deletion, unavailable, or deleted.
- If the key status isn't ACTIVE, resolve the issue before attempting instance automation.
- Disabled: Re-enable the key in AWS KMS.
- Pending deletion: Cancel the deletion schedule in AWS, then re-enable the key if needed.
- Unavailable: Restore EKMS connectivity by verifying credentials, region access, and endpoint availability.
- Deleted: Contact ServiceNow Support for recovery strategy and reconfiguration planning. This is a critical and irreversible situation.
After resolving key status issues, wait for the EKMS Health Check job to update the instance status to ACTIVE, then re-run the preflight check before proceeding.
Legacy key management support
By default, instance automation between instances using different key management architectures (legacy and current) isn't supported. You can enable support for legacy key management scenarios by setting the system property glide.ekms.ia.non_bagheera_support to true.
- Navigate to .
- Search for glide.ekms.ia.non_bagheera_support.
- Set the value to True.
- Select Save.
You must have the admin role to modify system properties.
- The source instance uses legacy key management and the target instance uses current key management architecture.
- Both the source and target instances use legacy key management.
- The source instance uses current key management architecture and the target instance uses legacy key management.
Even with this property enabled, if the preflight check detects incompatible configurations, you must follow the manual resolution steps in KB2540187.