Combined Encryption Key Management release notes for upgrades from Vancouver to Xanadu

How to use this page

To help you prepare for your upgrade, we have combined the cross-family Encryption Key Management release notes onto one page. Read this summary of the new features, changes, and updated information for your product from Vancouver to Xanadu.

Tip:

If there were no updates for a release notes section in a certain family release, we included a short note for your reference. For example, if a product did not have any updates in Tokyo, the row says "No updates for this release."

Important information for upgrading Encryption Key Management to Xanadu

Before you upgrade to Xanadu, review these pre- and post-upgrade tasks and complete the tasks as needed.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	If you upgrade your instance to Washington DC but don’t upgrade your MID Server, Secrets Management authentication fails. Avoid authentication failures by upgrading your MID Server to Washington DC. If you can’t upgrade, you must turn off authentication until MID Server is upgraded to Washington DC to avoid authentication failures. For details on MID Server upgrades, see MID Server upgrades.
Xanadu	No updates for this release.

New features

Between your current release family and Xanadu, new features were introduced for Encryption Key Management.


Release	Release notes
Vancouver	Agent-to-agent credential sharing Use agent-to-agent credential sharing to reduce the administration that is required with client-accessible secrets when you add new MID servers. Each MID server gets its own unique key pair and can now share CAS credentials with other MID servers. Algorithm improvements for Edge Encryption Use the updated Edge Encryption that has stronger encryption algorithms for non-FIPS instances. This stronger encryption improves the security for your configuration records and the password field's edgeencryption.properties file. Record signing improvements for Edge Encryption Use the updated record signing feature ofEdge Encryption where you can do the following actions: Use elliptical curve key pairs for signing the configuration records. Use an edge proxy to validate the configuration record signatures with multiple keys. Schedule jobs to re-sign the customer configuration records with a new key. Edge Encryption supports MySQL 8 Use the order-preserving encryption and encryption patterns that require you to configure an Oracle MySQL database for the Edge Encryption proxy server. MySQL 8 is supported as the order-preserving and tokenization encryption database. New field type support for Field Encryption Enterprise Use the updated field encryption that now supports the phone and email field types. Key Management Framework Map Visualization If you're a key management framework (KMF) administrator or Crypto Manager, use map visualizations to evaluate the individual components that make up your module access policies. You can study the relationship between the policies, and debug if necessary so that the key access rights are properly administrated.
Washington DC	PostgreSQL database support Support the PostgreSQL databases for primary, secondary, read replica, gateway (shard), and Logical Corruption Protection (LCP) databases for cloud encryption. LCP databases are a variant of the read replica database. Trusted timestamps within the Code Signing framework View when a signature is issued by using timestamped Key Management Framework (KMF) Signature [sn_kmf_record_signature] records. Reusable key for agent-to-agent credential sharing Configure client-side asymmetric key pairs for API authentication. With the reusable key feature, every conceptual cryptographic module has only one active conceptual key at any point, generated on the client side and wrapped with its respective public key. Simplified process for 3DES deprecation Remove GlideEncrypter by using the guidance from the improved user interface for 3DES deprecation. Within the critical update app in Security Center, you can find information about the full and partial deprecation of 3DES, and view all impacted legacy password2 fields before deprecating 3DES. Property-driven multi-layer caller inspection for Code Signing Increase the number of caller layers to be validated during the ECC queue notarization to improve security. Starting in Washington DC, the number of validated caller layers is driven by a system property. Switch between ServiceNow Root of Trust (ROT) and your own ROT Switch between ServiceNow Root of Trust (ROT) and your own ROT.
Xanadu	New plugin available for Code Signing roles and administrative features Activate the plugin to access the new roles and administration features. The new plugin creates signature migration jobs, new code signing roles, and a new code signing administration page.

Changes

Between your current release family and Xanadu, some changes were made to existing Encryption Key Management features.


Release	Release notes
Vancouver	Deprecate GlideEncrypter usage of 3DES for password2 fields Administrators may request 3DES deprecation ensure that your instance uses the more secure Advanced Encryption Standard (AES) exclusively for the encryption and decryption of your Password2 data. This configuration change is necessary to meet NIST compliance, and ensures that your passwords no longer rely on static key encryption.
Washington DC	Web Service Consumer plugin tables reject access by default To improve security, default access to tables in the Web Service Consumer (com.glide.web_service_consumer) plugin are set to Reject. The following tables are affected. sys_rest_message sys_rest_message_fn sys_auth_profile_basic sys_auth_profile_oauth2 sys_soap_message sys_soap_message_function ws_security_x509_profile_outbound ws_security_username_profile_outbound Default access to tables in the External App Authentication (com.glide.external.app) plugin are also set to Reject. The following tables are affected. token_verification hash_message_verification
Xanadu	Changes to Code Signing requirements As a part of improving security around Root of Trust, signing of script and attachments records can only be done on your trusted non-production instance or using the standalone signing tool. The exception is notarization, which can still be performed in the protected production instance. Enhancement requests for the Code Signing Standalone signing tool Updates to Code Signing enable your administrators to work with keystores, signature records, and records to be signed outside of the local system. Improved activation process for Code Signing Activate Code signing with a new UI page that is designed to streamline the activation process. Download All Button for Multiple Attachments is available when Edge Encryption is enabled By using the download all functionality, you can now download multiple documents into a zip file when you also enable Edge Encryption. Edge Encryption jRobin dashboards have been migrated to NEXT Experience View troubleshooting and performance on dashboards that were migrated from the deprecated jRobin framework. These dashboards display the same information that was available in previous versions. Column Level Encryption Enterprise is installable by administrators after purchase After purchasing Column Level Encryption Enterprise, your administrator can typically activate the product without needing technical assistance. Support for full string UTF-8 in Column Level Encryption CLE supports encryption and decryption of the full range of UTF-8 characters, including emoji. Improved readability for Column Level Encryption logging With the improved system, node, application, and audit logging, your administrators can analyze and troubleshoot their CLE or CLEE implementation.

Removed

Between your current release family and Xanadu, some Encryption Key Management features or functionality were removed.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.
Xanadu	No updates for this release.

Deprecations

Between your current release family and Xanadu, some Encryption Key Management features or functionality were deprecated.

Release

Release notes

Vancouver

The following system properties have been deprecated and can’t be changed. These properties now default to the safe value that is listed in the following table. For a use case where the property has to be changed, contact customer support.


Property	Safe value	Description
com.glide.snap.enable_scan	true	Enables antivirus scanning on the instance by default. Contact customer support for use cases where the property must be set to false.
glide.security.sandbox_no_unsafe_methods	true	Prevents dangerous methods from being run in the JavaScript sandbox on an instance.
glide.security.strict.updates	true	Verifies that a user has the appropriate access control list (ACL) rule permission to update a form on form submission or field update.
glide.ui.escape_text	true	Escapes XML values at the parser level for the user interface. Prevents the reflected and stored cross-site scripting attacks.
glide.ui.security.codetag.allow_script	false	Disallows the rendered HTML in journal fields and forms to prevent the cross-site scripting (XSS) attacks when malicious HTML is inserted between the code tags.

The GlideEncrypter API is planned for deprecation, and will be unavailable staring in the X release. For information on alternatives to these APIs, see: Alternatives to deprecated GlideEncrypter APIs

Washington DC

Starting with the Washington DC release, Database Encryption is being prepared for future deprecation. Cloud Encryption is the replacement solution for data at rest encryption. For details, see Encryption and Key Management.

Xanadu

No updates for this release.

Activation information

Review information on how to activate Encryption Key Management.


Release	Release notes
Vancouver	The ServiceNow Platform Encryption subscription bundle is a group commercial entitlement that includes Column Level Encryption Enterprise, Cloud Encryption, and Database Encryption. Column Level Encryption Enterprise is the unlimited license of Column Level Encryption. The Column Level Encryption Enterprise plugin is available with the activation of the com.glide.now.platform.encryption plugin. For details, see Encryption and Key Management subscription bundle.
Washington DC	The Platform Encryption subscription bundle is a group commercial entitlement that includes Column Level Encryption Enterprise, Cloud Encryption, and Database Encryption. Column Level Encryption Enterprise is the unlimited license of Column Level Encryption. The Enterprise plugin is available with the activation of the com.glide.now.platform.encryption plugin. For details, see Encryption and Key Management subscription bundle.
Xanadu	The Platform Encryption subscription bundle is a group commercial entitlement that includes Column Level Encryption Enterprise, Cloud Encryption, and Database Encryption. Column Level Encryption Enterprise is the unlimited license of Column Level Encryption. The Enterprise plugin is available with the activation of the com.glide.now.platform.encryption plugin. For details, see Encryption and Key Management subscription bundle.

Additional requirements

If any additional requirements were introduced or changed for Encryption Key Management we have noted them here.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.
Xanadu	No updates for this release.

Browser requirements

If any specific browser requirements were introduced or changed for Encryption Key Management we have noted them here.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.
Xanadu	No updates for this release.

Accessibility information

Review details on accessibility information for Encryption Key Management, such as specific requirements or compliance levels.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.
Xanadu	No updates for this release.

Localization information

If there are specific localization considerations for Encryption Key Management we have noted them here.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.
Xanadu	No updates for this release.

Highlight information

If there are specific highlight considerations for Encryption Key Management we have noted them here.


Release	Release notes
Vancouver	Use agent-to-agent credential sharing within Secrets Management, which is used for the granular management of access to your passwords. Use the improved algorithm and record signing for Edge Encryption. Use Edge Encryption for MySQL 8 order-preserving and tokenization encryption databases. See Encryption and Key Management for more information.
Washington DC	Support the PostgreSQL databases for primary, secondary, read replica, gateway (shard), and Logical Corruption Protection (LCP) databases for cloud encryption. LCP databases are a variant of the read replica database. View when a signature is issued by using timestamped Key Management Framework (KMF) Signature [sn_kmf_record_signature] records. Remove GlideEncrypter by using the guidance from the improved user interface for 3DES deprecation. Within the critical update app in Security Center, you can find information about the full and partial deprecation of 3DES, and view all impacted legacy password2 fields before deprecating 3DES. See Encryption and Key Management for more information.
Xanadu	Start using Code Signing's improved activation process. You can use the new Code Signing UI page for a faster, streamlined activation. Administer Column Level Encryption with new Column Level Encryption APIs, roles, and administration features. Column Level Encryption logging has been enhanced for improved readability. Download all encrypted attachments as a zip file by using the new Download All button. See Key Management Framework for more information.