Password (2 Way Encrypted) design considerations

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Password (2 Way Encrypted) Design Considerations

    This document outlines the design considerations for storing and managing password data that can be decrypted within ServiceNow. It provides essential guidelines and options available to users when configuring Password (2 Way Encrypted) data in Workflow Studio.

    Show full answer Show less

    Key Features

    • Basic Options:
      • Label: Used to identify the data variable in the Workflow Studio interface.
      • Name: Identifies the data variable in script calls, allowing only alphanumeric and underscore characters.
      • Type: Specifies the data type stored by the variable.
      • Mandatory: Indicates if the variable must contain a value when configured.
    • Advanced Options:
      • Hint: Provides guidance for configuring the data.
      • Default Value: Specifies a value when none is provided by the designer.
    • Data Assignment: Values must be assigned using existing Password (2 Way Encrypted) data pills, as manual entry is not allowed.
    • Field Compatibility: Password2 data pills can only be used in specific field types, such as email body fields, HTML fields, and REST payload body, among others.

    Key Outcomes

    By following these design considerations, ServiceNow customers can ensure secure handling of password data within their workflows. Users must have proper access to encryption modules for decryption, and any invalid data pill types will trigger warnings to maintain flow integrity. This approach enhances security while facilitating the use of encrypted passwords in automated processes.

    Store encrypted password data that can be decrypted.

    Basic options

    Option Description
    Label Displays the label used to identify the data variable in the Workflow Studio interface. The label can consist of any text.
    Name Displays the name used to identify the data variable in script calls. The name can only consist of alphanumeric and underscore characters. The system automatically converts the label into a valid name by removing or replacing any special characters.
    Type Indicates the type of data stored by the data variable.
    Mandatory Indicates whether the data variable must contain a value when configured in an action.

    Advanced options

    Option Description
    Hint Provides guidance to flow or action designers on how to configure the data.
    Default value Specifies the value used when a flow or action designer does not provide a value.

    General guidelines

    Follow these general guidelines when designing flows containing Password (2 Way Encrypted) data.
    Assign values using existing Password (2 Way Encrypted) data pills.
    You can only assign a value to a password2 variable by selecting an existing password2 data pill. Selecting values from other field types is not supported. Workflow Studio presents a warning message when invalid data pill types are selected.

    The warning message displayed when dragging a non-password2 data pill onto a password2 field.

    Note:
    You cannot manually enter Password (2 Way Encrypted) values.
    Use Password (2 Way Encrypted) variables only for valid field types
    Workflow Studio prevents selecting Password2 data pills as the value for invalid field types. The system presents a warning message when the field is an incompatible type.

    The warning shown when dragging a password2 field to a disallowed field.

    Workflow Studio only allows Password2 data pills to be dragged into the following field types.
    • Email body fields
    • HTML fields
    • Password 2 Fields
    • PowerShell Input Variables
    • REST fields
      • Variables
      • REST payload body
      • Query parameters
      • Headers
      • REST multi-part form values
      • Form URL-encoded values
    • SOAP fields
      • Headers
      • Envelope
    Note:
    you cannot use Password (2 Way Encrypted) variables as conditions

    Flow Designer performs a validation check when a user saves, publishes, or tests actions and flows. This check shows that an alert for any data pills dropped in restricted field types and prevents the action or flow from executing. Update the action or flow to remove the invalid data pill and then retry the action.

    Set up encryption modules for decryption
    Only users with a valid encryption module access can decrypt and view the contents of password2 variables. To specify the encryption algorithm and which roles can access encrypted data, see Password2 encryption with KMF .