
- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
01-15-2024 11:53 AM - edited 07-27-2024 11:19 AM
Articles, Blogs, Videos, Podcasts, Share projects - Experiences from the field
Hi there,
Recently I noticed a few LinkedIn posts on the "GlideEncrypter" API in ServiceNow, posts which got a ton of likes. Also I still see this API still in use at every recent customer I've been at. Though you know what? The use of GlideEncrypter API won't be possible anymore in the near future. The GlideEncrypter API won't be just deprecated, it will not be permitted anymore beginning with the Xanadu release!
It's time to give the GlideEncrypter API a bit more attention.
Deprecated API: GlideEncrypter
KB1320986 describes very well the reason behind deprecating GlideEncrypter API, alternatives, and how you might find usage of the GlideEncrypter API within your instance. I won't copy/paste all of its contents and pretend its mine 😀 though here is a small part of the KB article with the reason for deprecating the GlideEncrypter API:
"The GlideEncrypter API uses the three-key Triple DES encryption standard which NIST 800-131A Rev 2 has recommended against using to encrypt data after 2023."
ServiceNow will address all out-of-the-box usage of the GlideEncrypter API in the Washington release (Q1 2024). All custom usage of the GlideEncrypter API is up to all customers themselves.
Want to know more about GlideEncrypter API being deprecated, just open the KB article and have fun reading 😀.
Use of GlideEncrypter on your instance
The same KB article does also mention a method for finding the use of the GlideEncrypter API on your instance. Finding this using an out-of-the-box Instance Scan check. Be aware though, and also why I am writing this article, the out-of-the-box Instance Scan check will not find all of the use of the GlideEncrypter API on your instance. The out-of-the-box Instance Scan check will only find the use of the GlideEncrypter API on your instance in genuine Script type fields. When the GlideEncrypter API is used in scripting in Flows/Workflows/Virtual Agent/etcetera, this usage will not be found since this form of scripting is not stored in a genuine Script type field!
The out-of-the-box check:
Deprecated API: GlideEncrypter
Use of GlideEncrypter on your instance in Flows/Workflows/Virtual Agent/etcetera
It sounds odd, though not all scripting in ServiceNow is stored in Script type fields, even though it looks like Script type fields. For example scripting used in a Script step in a Flow Designer action or scripting used in a Run Script in a Workflow, is not stored in a Script type field. Both examples are stored in the "value" field of a "sys_variable_value" record which is of type "String". There are more exceptions, for example Virtual Agent topics. The scripting for Virtual Agent topics is stored in the "graph" field of a "sys_cb_topic" record which is of type "String (Full UTF-8)".
(While writing this article I also noticed that scripting in ATF is also stored in the sys_variable_value table, most likely there are more exceptions)
To help you find the use of GlideEncrypter on your instance in the sys_variable_value table, here's an example Instance Scan check you can use:
Note: This check might give some false positives, a this does for example does not filter out inactive Flows/Workflows/etcetera.
(function (engine) {
// Remove code comments
var commentsRegEx = /\/\*[\s\S]*?\*\/|([^:]|^)\/\/.*$/gm;
var commentsRemovedValue = engine.current.value.replace(commentsRegEx, '');
var search_regex = /new\s*GlideEncrypter\s*\(/;
// Create scan finding
if(search_regex.test(commentsRemovedValue)) {
engine.finding.increment();
}
})(engine);
Closing
As mentioned, there are more exceptions (like Virtual Agent and ATF) that you need to dive into regarding the usage of the GlideEncrypter API. Don't just rely on the out-of-the-box Instance Scan check that ServiceNow mentioned in KB1320986.
---
That's it. Hope you like it. If any questions or remarks, let me know!
C |
If this content helped you, I would appreciate it if you hit bookmark or mark it as helpful.
Interested in more Articles, Blogs, Videos, Podcasts, Share projects I shared/participated in? |
Kind regards,
Mark Roethof
Independent ServiceNow Consultant
4x ServiceNow Developer MVP
4x ServiceNow Community MVP
---
- 5,411 Views

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Update! ServiceNow shifter removing the GlideEncrypter API to two releases later: Zurich, September 2025.

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Is there a way to configure the Scan so it won't show findings for workflow's activities belonging to inactive (not published) workflow versions?
Do I have to go to each finding source to check which workflow (and version) this call belongs to?
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
So what will be alternative forGlideEncrypter API for encrypt and decrypt?
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Mark this is a great article. Can I check though if it still holds? It seems that in newer updates of Security center that the "value" field of the sys_variable_value table are detected, via the 'Deprecated API: Encrypter usages in Variables table' check. This now appears in 'Security Center Installed Version 1.3.4 on a Washington PDI'.