Password (2 Way Encrypted) design considerations

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Password (2 Way Encrypted) design considerations

    This guide explains how to use Password (2 Way Encrypted) variables within ServiceNow workflows, enabling storage of passwords in an encrypted form that can be decrypted when necessary. It emphasizes design considerations, proper usage, and security controls relevant to ServiceNow customers managing sensitive password data.

    Show full answer Show less

    Basic and Advanced Options

    • Label: Custom text to identify the password variable in Workflow Studio.
    • Name: System-generated identifier from the label, used in scripts and must be alphanumeric or underscores.
    • Type: Defines the data type stored (Password 2 Way Encrypted).
    • Mandatory: Specifies if the password variable requires a value during action configuration.
    • Hint: Provides guidance for flow or action designers on how to configure the password data.
    • Default value: Specifies a default password value if none is provided by the designer.

    Key Design Guidelines

    • Assign values exclusively by selecting existing Password (2 Way Encrypted) data pills; manual entry is not allowed.
    • Only compatible field types accept Password2 variables. These include email body fields, HTML fields, password fields, PowerShell inputs, REST and SOAP fields like headers and payloads, query parameters, and form URL-encoded values.
    • Password (2 Way Encrypted) variables cannot be used as conditions in flow logic.
    • Workflow Studio validates flows and actions on save, publish, or test and blocks execution if invalid data pill types are used with password variables.
    • If invalid assignments are detected, update the flow or action to remove incompatible password data pills before retrying.

    Security and Access Control

    • Decryption of Password (2 Way Encrypted) values requires users to have specific encryption module access roles.
    • Encryption algorithms and role-based access to decrypt password data are configurable through Password2 encryption with Key Management Framework (KMF).

    By following these considerations, ServiceNow customers can securely store and manage decryptable password data within workflows while ensuring correct usage and compliance with security policies.

    Store encrypted password data that can be decrypted.

    Basic options

    Option Description
    Label Displays the label used to identify the data variable in the Workflow Studio interface. The label can consist of any text.
    Name Displays the name used to identify the data variable in script calls. The name can only consist of alphanumeric and underscore characters. The system automatically converts the label into a valid name by removing or replacing any special characters.
    Type Indicates the type of data stored by the data variable.
    Mandatory Indicates whether the data variable must contain a value when configured in an action.

    Advanced options

    Option Description
    Hint Provides guidance to flow or action designers on how to configure the data.
    Default value Specifies the value used when a flow or action designer does not provide a value.

    General guidelines

    Follow these general guidelines when designing flows containing Password (2 Way Encrypted) data.
    Assign values using existing Password (2 Way Encrypted) data pills.
    You can only assign a value to a password2 variable by selecting an existing password2 data pill. Selecting values from other field types is not supported. Workflow Studio presents a warning message when invalid data pill types are selected.

    The warning message displayed when dragging a non-password2 data pill onto a password2 field.

    Note:
    You cannot manually enter Password (2 Way Encrypted) values.
    Use Password (2 Way Encrypted) variables only for valid field types
    Workflow Studio prevents selecting Password2 data pills as the value for invalid field types. The system presents a warning message when the field is an incompatible type.

    The warning shown when dragging a password2 field to a disallowed field.

    Workflow Studio only allows Password2 data pills to be dragged into the following field types.
    • Email body fields
    • HTML fields
    • Password 2 Fields
    • PowerShell Input Variables
    • REST fields
      • Variables
      • REST payload body
      • Query parameters
      • Headers
      • REST multi-part form values
      • Form URL-encoded values
    • SOAP fields
      • Headers
      • Envelope
    Note:
    you cannot use Password (2 Way Encrypted) variables as conditions

    Flow Designer performs a validation check when a user saves, publishes, or tests actions and flows. This check shows that an alert for any data pills dropped in restricted field types and prevents the action or flow from executing. Update the action or flow to remove the invalid data pill and then retry the action.

    Set up encryption modules for decryption
    Only users with a valid encryption module access can decrypt and view the contents of password2 variables. To specify the encryption algorithm and which roles can access encrypted data, see Password2 encryption with KMF .