Password2 encryption with the Key Management Framework (KMF)
Summarize
Summary of Password2 Encryption with the Key Management Framework (KMF)
The Password2 field type in ServiceNow enables secure two-way encryption and decryption of custom fields, ensuring key protection, life-cycle management, and compliance with NIST 800-57 guidelines. It operates under FIPS 140-2-L3 protection standards and is active by default in new instances and upgrades.
Show less
Key Features
- Encryption Method: Utilizes Advanced Encryption Standard (AES) for two-way encryption, allowing secure storage and retrieval of passwords.
- Key Management: The Key Management Framework (KMF) provides a parent cryptographic module (cmglideencrypter) with submodules specific to application scopes, each using unique AES 256 GCM keys.
- Script Access: Password2 fields can be manipulated in scripts using
setDisplayValue()for encryption andgetDecryptedValue()for decryption. Note: Avoid usingsetValue()with Password2 fields. - Migration Support: A migration job is available for upgrading legacy Password2 encryption to the new KMF system, ensuring compatibility and security for existing data.
Key Outcomes
By implementing Password2 encryption, ServiceNow customers can secure sensitive data effectively while adhering to compliance standards. Customers can expect improved data protection through dedicated application scope submodules and streamlined management of encryption keys, enhancing overall security posture. The migration job ensures that legacy data is transitioned securely to the latest encryption standards.
Supported by the Key Management Framework, use the Password2 (2-way encrypted) field type to encrypt and decrypt custom fields with segregation of duties, key protection, and life-cycle management. It works in accordance with NIST 800-57 guidelines and provides FIPS 140-2-L3 protection.
Password2 is a text field that stores passwords with two-way encryption. The two-way encryption stores passwords as a secure encrypted value that can be decrypted within the instance.
Activation
Password2 functionality is active by default. It’s controlled by the glide.kmf.encrypter.enabled property, which is set to true for all new instances and upgrades. You don’t need to enable Field Encryption Enterprise to use Password2.
How Password2 works
The Key Management Framework provides a base system parent cryptographic module cm_glide_encrypter. This module provides a cryptographic specification and a key that can decrypt legacy Password2 fields.
This cm_glide_encrypter module can have submodules, each with their own module key and specification. If a submodule is present with the same application scope as the application where the Password2 field is, the system uses the submodule. For example, if a table in the ServiceNow® Customer Service application has a submodule, and you write information to a Password2 field on a table in the Customer Service application scope, the cryptographic process calls the Customer Service submodule. The process also uses that submodule's key for encryption and decryption with a unique AES 256 GCM encryption key. One submodule per application scope is allowed. Parent module isn’t always used for global scope. Generally, new fields use instance_level_glide_encrypter.
Domain separation and on-premise customers
KMF Password2 doesn’t support domain separation. You can use Password2 with on-premise instances.
Legacy Password2 and the current Password2
In Australia, the existing Password2 field has been upgraded.
- Uses the Key Management Framework in accordance with NIST 800-57 key wrapping guidelines and provides FIPS 140-2-L3 protection for the entire key hierarchy.
- Includes capabilities to create dedicated and unique KMF Password2 submodules for specific applications, providing control through application scope. Each submodule has its own unique AES 256 GCM encryption key.
Password2 fields in scripts
When accessing Password2 fields with a script, run the script under the same
scope as the table scope. Use setDisplayValue() to encrypt Password2 values and getDecryptedValue() to decrypt and read
the value.
GlideEncrypter() API on Password2 fields.
var gr = new GlideRecord(‘table_xyz’);
gr.pwd2column_name.setDisplayValue('my@Password');
gr.insert();
setValue() API for the Password2 field.This example script shows you how to decrypt the same field to retrieve the value:
var gr = new GlideRecord(‘table_xyz’);
gr.query();
gr.next();
var ge=gr.getElement('pwd2column_name');
var ged1 = ge.getDecryptedValue();
getDecryptedValue() API isn’t scoped. It’s available globally.- When you encrypt data in a Password2 field, the system determines the scope of the application where the Password2 field resides.
- The system then looks for a submodule of the cm_glide_encrypter parent module with the same scope as the application if the property is set to true.Note:If a submodule with the same scope is present, it uses the submodule specification and key to perform the encryption.
This illustration explains how your instance decrypts data in Password2 fields:
KMF Password2 migration job
A migration job is provided for customers upgrading from previous releases. It takes data encrypted with a legacy Password2 encryption and re-encrypts it with the key in a KMF Password2 submodule key. The re-encryption only applies to tables with Password2 fields in application scopes that also have submodules created for that scope. For example, a legacy Password2 field in XYZ_example application (with XYZ_example application scope) is re-encrypted only if a submodule for the XYZ_example application scope exists under the cm_glide_encrypter parent module.
The KMF Password2 encryption keys in the submodule are protected (envelope encrypted) in the KMF key hierarchy.