Encryption Key Management release notes

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Encryption Key Management Release Notes

    The ServiceNow® Encryption Key Management application is designed to enhance data protection through encryption, secure key access, and comprehensive key lifecycle management in compliance with NIST standards. The Washington DC release introduces critical updates and features to improve encryption capabilities and management.

    Show full answer Show less

    Key Features

    • PostgreSQL Database Support: Now supports PostgreSQL for various database types including primary, secondary, read replica, and Logical Corruption Protection (LCP) databases for cloud encryption.
    • Trusted Timestamps: Allows viewing when a signature is issued using timestamped Key Management Framework (KMF) Signature records.
    • Reusable Key for Credential Sharing: Enables client-side asymmetric key pairs for API authentication, simplifying cryptographic management.
    • 3DES Deprecation Guidance: Provides an improved user interface for transitioning away from 3DES, including critical updates and legacy password field assessments.
    • Increased Security for Code Signing: Enhances the number of caller layers validated during ECC queue notarization, driven by a system property.
    • ServiceNow Root of Trust Management: Facilitates switching between ServiceNow's Root of Trust and a custom Root of Trust.
    • Web Service Consumer Plugin Access Changes: Default access to specific tables is now set to reject to improve security.

    Key Outcomes

    Customers upgrading to the Washington DC release should ensure that the MID Server is also upgraded to prevent authentication failures. The release prepares for future deprecation of Database Encryption, transitioning to Cloud Encryption as the primary solution for data at rest encryption. Enhanced features and improved security measures aim to streamline encryption processes and protect sensitive data effectively.

    The ServiceNow® Encryption Key Management application protects your data by using encryption, tightly controlled key-access, National Institute of Standards and Technology (NIST) 800-57-based key life-cycle management, and FIPS 140-2-L3 key protection. Encryption Key Management was enhanced and updated in the release.

    Encryption Key Management highlights for the release

    • Support the PostgreSQL databases for primary, secondary, read replica, gateway (shard), and Logical Corruption Protection (LCP) databases for cloud encryption. LCP databases are a variant of the read replica database.
    • View when a signature is issued by using timestamped Key Management Framework (KMF) Signature [sn_kmf_record_signature] records.
    • Remove GlideEncrypter by using the guidance from the improved user interface for 3DES deprecation. Within the critical update app in Security Center, you can find information about the full and partial deprecation of 3DES, and view all impacted legacy password2 fields before deprecating 3DES.

    See Encryption and Key Management for more information.

    Important information for upgrading Encryption Key Management to Washington DC

    If you upgrade your instance to Washington DC but don’t upgrade your MID Server, Secrets Management authentication fails. Avoid authentication failures by upgrading your MID Server to Washington DC. If you can’t upgrade, you must turn off authentication until MID Server is upgraded to Washington DC to avoid authentication failures.

    For details on MID Server upgrades, see MID Server upgrades.

    New in the release

    PostgreSQL database support
    Support the PostgreSQL databases for primary, secondary, read replica, gateway (shard), and Logical Corruption Protection (LCP) databases for cloud encryption. LCP databases are a variant of the read replica database.
    Trusted timestamps within the Code Signing framework
    View when a signature is issued by using timestamped Key Management Framework (KMF) Signature [sn_kmf_record_signature] records.
    Reusable key for agent-to-agent credential sharing
    Configure client-side asymmetric key pairs for API authentication. With the reusable key feature, every conceptual cryptographic module has only one active conceptual key at any point, generated on the client side and wrapped with its respective public key.
    Simplified process for 3DES deprecation
    Remove GlideEncrypter by using the guidance from the improved user interface for 3DES deprecation. Within the critical update app in Security Center, you can find information about the full and partial deprecation of 3DES, and view all impacted legacy password2 fields before deprecating 3DES.
    Property-driven multi-layer caller inspection for Code Signing
    Increase the number of caller layers to be validated during the ECC queue notarization to improve security. Starting in Washington DC, the number of validated caller layers is driven by a system property.
    Switch between ServiceNow Root of Trust (ROT) and your own ROT
    Switch between ServiceNow Root of Trust (ROT) and your own ROT.

    Changed in this release

    Web Service Consumer plugin tables reject access by default
    To improve security, default access to tables in the Web Service Consumer (com.glide.web_service_consumer) plugin are set to Reject. The following tables are affected.
    • sys_rest_message
    • sys_rest_message_fn
    • sys_auth_profile_basic
    • sys_auth_profile_oauth2
    • sys_soap_message
    • sys_soap_message_function
    • ws_security_x509_profile_outbound
    • ws_security_username_profile_outbound

    Default access to tables in the External App Authentication (com.glide.external.app) plugin are also set to Reject. The following tables are affected.

    • token_verification
    • hash_message_verification

    Deprecations

    Starting with the Washington DC release, Database Encryption is being prepared for future deprecation. Cloud Encryption is the replacement solution for data at rest encryption. For details, see Encryption and Key Management.

    Activation information

    The Platform Encryption subscription bundle is a group commercial entitlement that includes Column Level Encryption Enterprise, Cloud Encryption, and Database Encryption.

    Column Level Encryption Enterprise is the unlimited license of Column Level Encryption. The Enterprise plugin is available with the activation of the com.glide.now.platform.encryption plugin. For details, see Encryption and Key Management subscription bundle.

    Related applications and features

    Encryption and Key Management
    Encryption is a cryptographic procedure that converts plain text into cipher text, which helps prevent anyone but the intended recipient from reading that data.
    Key Management Framework
    The Key Management Framework lets you fully customize and manage how cryptographic operations are performed on your instance.
    Code Signing
    Code Signing creates digital signatures for the data, which are later checked to confirm the authenticity and integrity of the data. Code Signing is a module licensed as a component of Vault.
    Edge Encryption
    Edge Encryption encrypts sensitive data on your company premises before sending it over the internet to your instance (encrypted in flight), where it remains encrypted at rest.
    Cloud Encryption with Key Management
    Cloud Encryption offers encrypted storage for the database using block encryption, along with enhanced key management. Cloud Encryption is available with the Platform Encryption subscription bundle.