Configure an external key definition

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Configure your external encryption key to use in External Key Management Service (EKMS).

    Before you begin

    Roles required: admin, security_admin, and sn_kmf.cryptographic_manager

    Note:
    To configure EKMS, verify that you have an enabled key with your external key management provider, and the configured user has the necessary permissions to use the key.
    The user must have permissions to run the following AWS KMS API operations:
    • kms:DescribeKey
    • kms:Encrypt
    • kms:Decrypt

    Procedure

    1. Navigate to All > System Security > Field Encryption > EKMS Configurations > New.
    2. On the form, fill in the fields.
      Field Description
      Application Automatically populated with Global.
      Cloud KMS Provider Automatically populated with AWS.
      EKMS Integration Name Choose a name for the key definition. This name is referenced when running scripts.
      Key Region Enter the key region associated with your external key. Example: ex. us-east-2.
      External Key Identifier Enter the Amazon Resource Name (AWS ARN) for your external key.
      Primary Region URL Enter the unique Primary Regional URL that begins with KMS. Example: https://kms.[key region]_amazonaws.com.
      KMS Credentials Access Key Enter the key management service (KMS) for your credentialed AWS user.
      KMS Credentials Secret Key Enter the secret key for your credentialed AWS user.
    3. Select Submit.

    Result

    The external key definition is configured. Verify that the key status displays as Active for the new configuration. To confirm if the key is usable, select Test EKMS Config. Wait for the key status to change to Active before using it.External Key Management Service key definition with an active status

    What to do next

    Next steps: