External Key Management Service and instance automation

  • Release version: Australia
  • Updated April 23, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of External Key Management Service and instance automation

    This document outlines the requirements and limitations for performing instance automation operations—such as cloning, backup and restore, copying, moving, and toggling—when External Key Management Service (EKMS) is enabled on your ServiceNow instance. It emphasizes the need for compatible EKMS configurations between source and target instances to ensure successful automation and highlights the critical role of the preflight compatibility check.

    Show full answer Show less

    Instance Automation Compatibility

    Instance automation operations depend on the compatibility of EKMS configurations between the source and target instances. Key points include:

    • Operations between instances without EKMS or with compatible EKMS configurations are supported.
    • Operations involving incompatible configurations, mismatched key wrapping strategies, or inactive key statuses are blocked.
    • Preflight checks validate compatibility and block operations if configurations are incompatible, requiring manual resolution as detailed in KB2540187.

    Key Status Requirements

    The AWS KMS key status must be ACTIVE to perform instance automation successfully. If the key status is disabled, pending deletion, unavailable, or deleted, operations will fail. To proceed:

    • Verify and ensure the key status is ACTIVE before starting automation.
    • Resolve issues by re-enabling keys, canceling deletion schedules, restoring EKMS connectivity, or contacting ServiceNow Support if the key is deleted.
    • Wait for the EKMS Health Check job to confirm ACTIVE status after resolution, then rerun the preflight check.

    Legacy Key Management Support

    By default, automation between instances using legacy and current key management architectures is unsupported. However, you can enable legacy support by setting the system property glide.ekms.ia.nonbagheerasupport to true in System Properties. This enables automation in scenarios where:

    • The source uses legacy and the target uses current key management.
    • Both source and target use legacy key management.
    • The source uses current and the target uses legacy key management.

    Even with this enabled, incompatible configurations detected by the preflight check require manual resolution following KB2540187.

    Understand requirements and limitations for instance automation operations when External Key Management Service is enabled.

    When External Key Management Service (EKMS) is enabled on your instance, you must plan for instance automation operations such as cloning, backup and restore, copying, moving, and toggling between instances. These operations require compatible EKMS configurations between source and target instances to succeed.

    You can't clone or restore externally encrypted data unless the target instance can access the same external encryption key. The preflight check validates EKMS compatibility before instance automation operations begin. If configurations are incompatible, the operation is blocked and you must follow the manual resolution steps in KB2540187.

    Instance automation compatibility

    The following table shows which instance automation operations are supported based on your source and target instance configurations.
    Table 1. Instance Automation Compatibility Table
    Source instance Target instance Result
    No EKMS No EKMS Supported
    EKMS in use Supports EKMS Supported
    EKMS in use Older release without EKMS support Supported
    Older release without EKMS support Supports EKMS but not configured Supported
    Supports EKMS Older release without EKMS support Supported
    EKMS configured EKMS with matching configuration and key wrapping strategy Supported
    EKMS configured EKMS with compatible configuration Supported
    EKMS configured with key status not ACTIVE Any Blocked- see Key status requirements below
    EKMS configured EKMS with different configuration Blocked- see KB2540187
    Internal key wrapping External key wrapping Blocked- see KB2540187
    EKMS configured EKMS with different configuration or wrapping strategy Blocked- see KB2540187
    EKMS present but not configured EKMS in use Blocked- see KB2540187
    Older release without EKMS support EKMS configured Blocked- see KB2540187
    Supports EKMS but not configured EKMS configured Blocked- see KB2540187

    Activate EKMS on source first.
    EKMS configured EKMS with incompatible configuration Blocked- see KB2540187

    Key status requirements

    Instance automation operations require that your AWS KMS key status isACTIVE. If the external key status isn'tACTIVE, cryptographic operations may fail during or after the instance automation operation.

    Before performing instance automation with EKMS:
    • Verify the key status in your EKMS Configuration shows as ACTIVE.
    • Don't proceed with instance automation while the key status is disabled, pending deletion, unavailable, or deleted.
    • If the key status isn't ACTIVE, resolve the issue before attempting instance automation.
    Key status issues and resolutions:
    • Disabled: Re-enable the key in AWS KMS.
    • Pending deletion: Cancel the deletion schedule in AWS, then re-enable the key if needed.
    • Unavailable: Restore EKMS connectivity by verifying credentials, region access, and endpoint availability.
    • Deleted: Contact ServiceNow Support for recovery strategy and reconfiguration planning. This is a critical and irreversible situation.

    After resolving key status issues, wait for the EKMS Health Check job to update the instance status to ACTIVE, then re-run the preflight check before proceeding.

    Legacy key management support

    By default, instance automation between instances using different key management architectures (legacy and current) isn't supported. You can enable support for legacy key management scenarios by setting the system property glide.ekms.ia.non_bagheera_support to true.

    To enable legacy key management support:
    1. Navigate to System Properties > All Properties.
    2. Search for glide.ekms.ia.non_bagheera_support.
    3. Set the value to True.
    4. Select Save.

    You must have the admin role to modify system properties.

    This property enables instance automation in the following scenarios:
    • The source instance uses legacy key management and the target instance uses current key management architecture.
    • Both the source and target instances use legacy key management.
    • The source instance uses current key management architecture and the target instance uses legacy key management.

    Even with this property enabled, if the preflight check detects incompatible configurations, you must follow the manual resolution steps in KB2540187.