GlideEncrypter API not permitted beginning with the Xanadu release

Mark Roethof
Tera Patron
Tera Patron

‎01-15-2024 11:53 AM - edited ‎07-27-2024 11:19 AM

Articles, Blogs, Videos, Podcasts, Share projects - Experiences from the field

 

Hi there,


Recently I noticed a few LinkedIn posts on the "GlideEncrypter" API in ServiceNow, posts which got a ton of likes. Also I still see this API still in use at every recent customer I've been at. Though you know what? The use of GlideEncrypter API won't be possible anymore in the near future. The GlideEncrypter API won't be just deprecated, it will not be permitted anymore beginning with the Xanadu release!


It's time to give the GlideEncrypter API a bit more attention.

 

Deprecated API: GlideEncrypter

KB1320986 describes very well the reason behind deprecating GlideEncrypter API, alternatives, and how you might find usage of the GlideEncrypter API within your instance. I won't copy/paste all of its contents and pretend its mine 😀 though here is a small part of the KB article with the reason for deprecating the GlideEncrypter API: 

 

"The GlideEncrypter API uses the three-key Triple DES encryption standard which NIST 800-131A Rev 2 has recommended against using to encrypt data after 2023."


ServiceNow will address all out-of-the-box usage of the GlideEncrypter API in the Washington release (Q1 2024). All custom usage of the GlideEncrypter API is up to all customers themselves.

 

Want to know more about GlideEncrypter API being deprecated, just open the KB article and have fun reading 😀.

 

Use of GlideEncrypter on your instance

The same KB article does also mention a method for finding the use of the GlideEncrypter API on your instance. Finding this using an out-of-the-box Instance Scan check. Be aware though, and also why I am writing this article, the out-of-the-box Instance Scan check will not find all of the use of the GlideEncrypter API on your instance. The out-of-the-box Instance Scan check will only find the use of the GlideEncrypter API on your instance in genuine Script type fields. When the GlideEncrypter API is used in scripting in Flows/Workflows/Virtual Agent/etcetera, this usage will not be found since this form of scripting is not stored in a genuine Script type field!


The out-of-the-box check:
Deprecated API: GlideEncrypter


Use of GlideEncrypter on your instance in Flows/Workflows/Virtual Agent/etcetera

It sounds odd, though not all scripting in ServiceNow is stored in Script type fields, even though it looks like Script type fields. For example scripting used in a Script step in a Flow Designer action or scripting used in a Run Script in a Workflow, is not stored in a Script type field. Both examples are stored in the "value" field of a "sys_variable_value" record which is of type "String". There are more exceptions, for example Virtual Agent topics. The scripting for Virtual Agent topics is stored in the "graph" field of a "sys_cb_topic" record which is of type "String (Full UTF-8)".

(While writing this article I also noticed that scripting in ATF is also stored in the sys_variable_value table, most likely there are more exceptions)

 

To help you find the use of GlideEncrypter on your instance in the sys_variable_value table, here's an example Instance Scan check you can use:

 

GlideEncrypter.png

 

Note: This check might give some false positives, a this does for example does not filter out inactive Flows/Workflows/etcetera.  

 

(function (engine) {

    // Remove code comments
    var commentsRegEx = /\/\*[\s\S]*?\*\/|([^:]|^)\/\/.*$/gm;
    var commentsRemovedValue = engine.current.value.replace(commentsRegEx, '');

    var search_regex = /new\s*GlideEncrypter\s*\(/;

    // Create scan finding
    if(search_regex.test(commentsRemovedValue)) {
        engine.finding.increment();
    }

})(engine);

 

Closing

As mentioned, there are more exceptions (like Virtual Agent and ATF) that you need to dive into regarding the usage of the GlideEncrypter API. Don't just rely on the out-of-the-box Instance Scan check that ServiceNow mentioned in KB1320986.

---

 

That's it. Hope you like it. If any questions or remarks, let me know!

 

C

If this content helped you, I would appreciate it if you hit bookmark or mark it as helpful.

 

Interested in more Articles, Blogs, Videos, Podcasts, Share projects I shared/participated in?
- Articles, Blogs, Videos, Podcasts, Share projects - Experiences from the field

 

Kind regards,


Mark Roethof

Independent ServiceNow Consultant

4x ServiceNow Developer MVP

4x ServiceNow Community MVP

---

LinkedIn

  • 5,411 Views
Comments
Mark Roethof
Tera Patron
Tera Patron
‎07-14-2024 08:42 PM

Update! ServiceNow shifter removing the GlideEncrypter API to two releases later: Zurich, September 2025.

 

GlydeEncrypter.png

Rick Forristall
Tera Guru
‎08-18-2024 12:29 PM

Thanks @Mark Roethof 

 

Does Now offer an alternative for scope-app development?

 

Thanks,

Rick

0 Helpfuls
alonsotorres
Tera Contributor
‎09-29-2024 11:29 AM

 

Is there a way to configure the Scan so it won't show findings for workflow's activities belonging to inactive (not published) workflow versions?

 

Do I have to go to each finding source to check which workflow (and version) this call belongs to? 

0 Helpfuls
dineshch
Tera Explorer
‎11-06-2024 11:53 PM

So what will be alternative forGlideEncrypter API for encrypt and decrypt?

GetS
Tera Contributor
‎03-05-2025 05:13 PM

Mark this is a great article. Can I check though if it still holds? It seems that in newer updates of Security center that the "value" field of the sys_variable_value table are detected, via the 'Deprecated API: Encrypter usages in Variables table' check. This now appears in 'Security Center Installed Version 1.3.4 on a Washington PDI'.Screenshot 2025-03-06 at 2.06.59 PM.pngScreenshot 2025-03-06 at 2.12.30 PM.png

0 Helpfuls
Version history
Last update:
‎07-27-2024 11:19 AM
Updated by:
Tera Patron
Contributors