Password (2 Way Encrypted) design considerations

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Password (2 Way Encrypted) design considerations

    This guide explains how to store and manage password data that is encrypted in a reversible (2-way encrypted) manner within ServiceNow flows and actions. It highlights design considerations, configuration options, and usage restrictions to ensure secure and correct handling of sensitive password data.

    Show full answer Show less

    Basic Configuration Options

    • Label: Custom text used to identify the password variable in Workflow Studio.
    • Name: System-generated alphanumeric identifier for scripting, derived from the label.
    • Type: Specifies the data type stored.
    • Mandatory: Indicates if this password variable must have a value when used in an action.

    Advanced Configuration Options

    • Hint: Provides guidance to designers on configuring the password variable.
    • Default value: Defines a fallback password value if none is provided in the flow or action.

    Usage Guidelines

    • Password (2 Way Encrypted) variables can only be assigned values by selecting existing password2 data pills; manual entry or values from other field types are not supported.
    • These variables can only be used in specific compatible field types such as Email body fields, HTML fields, Password 2 fields, PowerShell Input Variables, and various REST and SOAP request fields including headers, query parameters, and payload bodies.
    • They cannot be used as conditions in flow logic.
    • Workflow Studio enforces these rules by providing warnings and preventing flow or action execution if invalid assignments are detected.

    Encryption and Access Control

    Only users with appropriate encryption module access can decrypt and view the contents of password2 variables. Configuration of encryption algorithms and role-based access is managed through Password2 encryption with KMF, ensuring secure access control over sensitive password data.

    Store encrypted password data that can be decrypted.

    Basic options

    Option Description
    Label Displays the label used to identify the data variable in the Workflow Studio interface. The label can consist of any text.
    Name Displays the name used to identify the data variable in script calls. The name can only consist of alphanumeric and underscore characters. The system automatically converts the label into a valid name by removing or replacing any special characters.
    Type Indicates the type of data stored by the data variable.
    Mandatory Indicates whether the data variable must contain a value when configured in an action.

    Advanced options

    Option Description
    Hint Provides guidance to flow or action designers on how to configure the data.
    Default value Specifies the value used when a flow or action designer does not provide a value.

    General guidelines

    Follow these general guidelines when designing flows containing Password (2 Way Encrypted) data.
    Assign values using existing Password (2 Way Encrypted) data pills.
    You can only assign a value to a password2 variable by selecting an existing password2 data pill. Selecting values from other field types is not supported. Workflow Studio presents a warning message when invalid data pill types are selected.

    The warning message displayed when dragging a non-password2 data pill onto a password2 field.

    Note:
    You cannot manually enter Password (2 Way Encrypted) values.
    Use Password (2 Way Encrypted) variables only for valid field types
    Workflow Studio prevents selecting Password2 data pills as the value for invalid field types. The system presents a warning message when the field is an incompatible type.

    The warning shown when dragging a password2 field to a disallowed field.

    Workflow Studio only allows Password2 data pills to be dragged into the following field types.
    • Email body fields
    • HTML fields
    • Password 2 Fields
    • PowerShell Input Variables
    • REST fields
      • Variables
      • REST payload body
      • Query parameters
      • Headers
      • REST multi-part form values
      • Form URL-encoded values
    • SOAP fields
      • Headers
      • Envelope
    Note:
    you cannot use Password (2 Way Encrypted) variables as conditions

    Flow Designer performs a validation check when a user saves, publishes, or tests actions and flows. This check shows that an alert for any data pills dropped in restricted field types and prevents the action or flow from executing. Update the action or flow to remove the invalid data pill and then retry the action.

    Set up encryption modules for decryption
    Only users with a valid encryption module access can decrypt and view the contents of password2 variables. To specify the encryption algorithm and which roles can access encrypted data, see Password2 encryption with KMF .