Deprecate GlideEncrypter usage of 3DES for password2 fields

  • Release version: Xanadu
  • Updated August 1, 2024
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Deprecate GlideEncrypter usage of 3DES for password2 fields

    ServiceNow is deprecating the use of the 3DES encryption algorithm for password2 fields to enhance security by using the more secure Advanced Encryption Standard (AES) exclusively. Starting in the Rome release, password2 data encryption shifted towards AES via the Key Management Framework (KMF), but some fallback logic still used 3DES. From the Vancouver release onward, administrators can fully deprecate 3DES encryption for password2 fields, ensuring NIST compliance and stronger data protection.

    Show full answer Show less

    Considerations before Deprecation

    • Data Transfer Between Instances: Enable KMF Key Exchange to ensure encryption keys for password2 data are shared between source and target instances, allowing decryption after transfer.
    • Applications Using password2 Data: Install KMF Resource Exchange on instances running such applications to synchronize instance-level encryption keys across instances.
    • Exporting password2 Data: When exporting via XML or Data Sources, ensure KMF Key Exchange is enabled on the receiving instance.
    • Other Transfer Methods: For any other password2 encrypted text transfers, configure KMF Resource Exchange to maintain decryption capability on target instances.
    • Downgrading Instances: For instances with password2 fields longer than 125 characters and 3DES deprecated, contact ServiceNow support before downgrading to disable 3DES deprecation to preserve password2 data.
    • Legacy password2 Fields: Full 3DES deprecation disables encryption/decryption for legacy (pre-Rome) password2 fields. Partial deprecation can retain 3DES for these legacy fields if necessary.

    How to Deprecate 3DES

    Administrators with security admin privileges can manage 3DES deprecation by accessing the Password2 Triple DES Deprecation form via All > System Security > Security Compliance. Two options are available:

    • Complete Deprecation: Removes all 3DES usage for password2 fields, ensuring AES is exclusively used. To enable, opt-in for 3DES deprecation and deselect continued use of 3DES in legacy fields.
    • Partial Deprecation: Removes 3DES for all password2 fields except legacy configured fields, which continue using 3DES. This option is for cases requiring legacy field support.

    Post-Deprecation Behavior

    • Password2 fields can still decrypt existing 3DES-encrypted data but will no longer encrypt new data with 3DES.
    • Existing 3DES encrypted values remain until updated by users or workflows, at which point data is re-encrypted using AES via KMF.
    • If errors occur when saving password data (e.g., "Action Aborted: Password value cannot be saved due to technical issue"), refer to knowledge base article KB1296997 for troubleshooting guidance.

    Deprecate GlideEncrypter usage of 3DES encryption standard on your instance ensure that your instance uses the more secure Advanced Encryption Standard (AES) exclusively for the encryption and decryption of your Password2 data.

    Beginning in Rome, password2 data is protected using the Key Management Framework, which uses the more modern Advanced Encryption Standard (AES) algorithm. However, some configurations and fallbacks in password2 logic can still use the 3DES algorithm for encryption and decryption.

    In the Vancouver release, administrators can choose to deprecate the 3DES algorithm entirely. After completing this change, your instance uses AES encryption exclusively for all encryption and decryption tasks relating to password2 data. This change provides better instance security than compared with 3DES encryption, and is necessary to remain NIST compliant.

    Considerations before deprecation

    Transferring password2 data between instances

    When transferring password2 encrypted texts to other instances, you must ensure that KMF Key Exchange is enabled between source and target instances. This configuration ensures that the keys used to encrypt password2 texts are available on both instances to decrypt the password2 encrypted texts. Before deprecating 3DES, Consider the following use cases that can impact password2 data between instances.

    • If you have applications on your instance that use password2 data, ensure that KMF Resource Exchange is installed on that instance. KMF Resource Exchange ensures that instance level keys used to encrypt the password2 data on the source instance are available on the target instances for decryption. For more information, see Key Management Framework Resource Exchange.
    • If you plan on exporting password2 data through XML or Data Sources, ensure that the target instance has KMF Key Exchange enabled. This configuration ensures that the instance level keys used to encrypt the password2 data on the source instance are available on the target instances for decryption. For details on this configuration, see Key Management Framework Key Exchange.
      Important:
      The examples above are more common scenarios, but if you’re using any other means of transferring password2 encrypted text between instances, you must configure KMF Resource Exchange to ensure the target instance can decrypt password2 data.
    Downgrading an instance after the 3DES deprecation

    The following only applies for instances that have password2 fields have input lengths greater than 125 characters and you have already deprecated 3DES encryption.

    To downgrade an instance to release earlier than Vancouver via Instance Cloning, take the following steps before initiating the clone.

    1. Check if data preservation is configured to preserve password2 field data.
    2. If yes, then before requesting a clone, contact ServiceNow support to disable 3DES deprecation. In the Reason field, use “Clone downgrade pre-requisite for password2 support.”
    Legacy password2 fields

    Your instance uses 3DES encryption to convert password2 data to legacy (pre-Rome) password2 data. After deprecating 3DES encryption, this option is no longer available. If you still need this feature, request partial deprecation (see details in the next section).

    How to deprecate 3DES

    After you’ve reviewed the preceding use cases, enable either partial or complete deprecation depending on your needs. For either option, you can access the form to control deprecation by navigating to All > System Security > Security Compliance > Password2 Triple DES Deprecation.

    Important:
    You must elevate to security admin to see the Security Compliance module and perform these steps. For details on that process, see Elevate to a privileged role.
    Password2 Triple DES Deprecation form

    The Password2 Triple DES Deprecation form contains information on the process for both complete and partial 3DES deprecation. Select the options for complete or partial deprecation and select Save.

    Complete deprecation
    Enabling complete deprecation removes the usage of 3DES for all the password2 fields in your instance. If all the prerequisites are met, then there are no configuration or scenarios where 3DES is used in password2 fields.
    To enable complete deprecation:
    • Select Do you want to opt-in for 3DES deprecation for password2 fields?
    • De-select Do you want to continue using 3DES in legacy password2 fields?
    Partial deprecation
    Enabling partial deprecation removes the usage of 3DES for all the password2 fields except legacy configured fields. Legacy configuration password2 fields continue to use 3DES encryption. Select this option only when you must continue to use 3DES for legacy configured fields.
    To enable partial deprecation:
    • Select Do you want to opt-in for 3DES deprecation for password2 fields?
    • Select Do you want to continue using 3DES in legacy password2 fields?

    After GlideEncrypter deprecation

    After the deprecation process is complete, the following information applies to your instance.
    • password2 fields still support decryption (but not encryption) of 3DES encrypted data.
    • Existing 3DES encrypted data in password2 fields remain as is until the field value is updated by a user or workflow.
    • Any update to the value of a password2 field removes 3DES encrypted text and replaces it with the text encrypted by KMF using AES.
    • In some situations, your instance may display an error when saving password data:

      Action Aborted: Password value cannot be saved due to technical issue. Please see KB1296997 for help.

      If you see this error refer to support information in knowledge base article KB1296997.