External Key Management Service

  • Release version: Australia
  • Updated March 24, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of External Key Management Service

    External Key Management Service (EKMS) allows ServiceNow customers to integrate Field Encryption with their own external key management systems, specifically AWS Key Management Service (AWS KMS) in the current release. This integration enables customers to maintain direct control over the lifecycle of encryption keys that protect their data within the ServiceNow platform, rather than storing keys internally.

    Show full answer Show less

    By managing keys externally, customers can safely adopt cloud-based enterprise services while ensuring sensitive data remains protected. EKMS supports key lifecycle operations such as generation, rotation, and revocation, allowing immediate response to security events, including rendering data cryptographically inaccessible by removing keys.

    Key Features

    • Supported Provider: AWS KMS symmetric keys are currently supported, with plans to add more providers in future releases.
    • Key Wrapping Architecture: EKMS uses a layered key wrapping mechanism where the External Key Encryption Key (EKEK) in the instance is wrapped by an internal Instance Root Key (IRK), which is then wrapped by the AWS KMS key. Data Encryption Keys (DEKs) are wrapped by the EKEK and encrypt the field data, ensuring that decryption requires access to the external AWS key.
    • Key Status Synchronization: A background job runs every 30 minutes (configurable) to synchronize the status of AWS keys with the instance, reflecting changes such as enabled, disabled, pending deletion, or deleted keys.
    • Integration with Field Encryption Enterprise (FEE): EKMS integrates through cryptographic modules that use external AWS KMS keys to wrap encryption keys. Encrypted Field Configurations specify which data is encrypted.
    • Access Control: Module Access Policies (MAPs) restrict which user roles can view decrypted data, ensuring only authorized users can access sensitive information.
    • Configuration and Lifecycle Management: Customers can configure, manage, revoke, or rotate keys within EKMS to maintain up-to-date and secure encryption materials.

    Key Limitations

    • Only one EKMS configuration is allowed per ServiceNow instance.
    • Multi-region AWS keys are not supported.
    • AWS KMS keys must be symmetric keys.

    Activation and Setup

    To use EKMS, customers must purchase a Platform Encryption or ServiceNow Vault subscription, which includes Field Encryption Enterprise. After activating the Field Encryption Enterprise plugin, the EKMS plugin (com.glide.encryption.externalkms) must be installed.

    Once installed, customers configure EKMS to control encryption using AWS KMS keys and then manage the EKMS configuration to maintain the external key lifecycle.

    External Key Management Service (EKMS) enables you to integrate Field Encryption with your own external key management systems.

    External Key Management Service (EKMS) enables you to maintain direct control over the encryption keys that protect your data within the ServiceNow platform. Rather than storing keys within the infrastructure, you can generate, store, and manage them in a dedicated key management system. This approach permits you to adopt cloud-based enterprise services while maintaining control over your sensitive data.

    You maintain authority over key lifecycle operations, including generation, rotation, and revocation allowing you to respond immediately to security events. This permits you to remove keys from your system, rendering your data cryptographically inaccessible.

    Supported providers

    Currently, EKMS for Field Encryption supports AWS Key Management Service (AWS KMS). Future releases will include support for additional key management providers.

    Key limitations

    • Only one EKMS configuration can be created per instance.
    • Multi-region keys are not supported.
    • The AWS KMS key must be a symmetric key.

    How EKMS works

    EKMS uses a key wrapping chain to secure data. See the EKMS key wrapping diagram below for a visual representation. When EKMS is configured:

    1. A Key Encryption Key (KEK) is generated in your instance. For EKMS, this key is called an External Key Encryption Key (EKEK).
    2. The EKEK is wrapped by an internal Instance Root Key (IRK), which is unique to your instance and stored securely in a ServiceNow-managed Hardware Security Module (HSM).
    3. The IRK-wrapped EKEK is then wrapped again by your AWS KMS key, which you manage in AWS.
    4. The wrapped EKEK is stored in the External Instance Keys table.
    5. Data Encryption Keys (DEKs) for a cryptographic module are wrapped by the EKEK and stored in the module key table. The DEKs are what encrypts your field data.
    6. Field data is encrypted using the cryptographic module's DEKs.

    External Key Management Service diagram

    This architecture ensures that your instance never has direct access to decrypt the data without access to the external AWS key.

    Key status synchronization

    The EKMS Health Check background job runs every 30 minutes to synchronize the AWS key status with your instance. The synchronization ensures that key state changes in AWS (enabled, disabled, pending deletion, deleted) are reflected in the key's status in the EKMS configuration. Users with the security_admin role can change this frequency by modifying the com.glide.encryption.ekms.scheduler.health_check_interval system property. See Change synchronization frequency.

    Important:
    AWS-deleted keys require a minimum of seven days before showing the deleted status, as this is controlled by AWS retention policies.

    Integration with Field Encryption Enterprise

    EKMS integrates with Field Encryption Enterprise (FEE) through cryptographic modules. Cryptographic modules use your external AWS KMS key to wrap encryption keys, and Encrypted Field Configurations specify which data to encrypt.

    Access control

    Module Access Policies (MAPs) determine which user roles can view encrypted data in clear text. Users without the proper role assignments will not be able to decrypt and view the protected information, even if they have access to the table.

    Get started

    Configuring External Key Management Service

    Create and maintain Key Management components to customize and manage how cryptographic operations are performed on your ServiceNow instance.

    External Key Management Service actions

    Use EKMS to manage , revoke or rotate keys to secure sensitive data with the most up-to-date encryption materials and life cycle operations.

    Activation information

    To activate the External Key Management Service, you must first purchase a subscription to either Platform Encryption or ServiceNow Vault.

    The ServiceNow Platform Encryption subscription bundle is a group commercial entitlement that includes Field Encryption Enterprise and Cloud Encryption.

    Field Encryption Enterprise is the unlimited license of Field Encryption Starter. Field Encryption Enterprise is available with the activation of the com.glide.field.encryption.enterprise plugin. For details, see Encryption and Key Management subscription bundle.

    Once you’ve installed the Field Encryption Enterprise plugin, install the EKMS plugin called “Platform Encryption External Key Management”. The plugin id is com.glide.encryption.external_kms. See Activate External Key Management Service for more information.