Password2 encryption with the Key Management Framework (KMF)
Summarize
Summary of Password2 encryption with the Key Management Framework (KMF)
Password2 is a two-way encrypted text field type supported by the Key Management Framework (KMF) in ServiceNow, designed to securely store and manage passwords within custom fields. It provides encryption and decryption capabilities with segregation of duties, key protection, and lifecycle management, adhering to NIST 800-57 guidelines and offering FIPS 140-2-L3 level security. Password2 enables secure password storage that can be decrypted within the instance when necessary.
Show less
The functionality is enabled by default in the Zurich release and controlled by the property glide.kmf.encrypter.enabled. Password2 does not require the Field Encryption Enterprise plugin.
How Password2 Works
- The KMF uses a parent cryptographic module (cmglideencrypter) with submodules for specific application scopes. Each submodule has its own AES 256 GCM encryption key and specification.
- When encrypting or decrypting Password2 fields, the system uses the submodule matching the application scope of the field, providing scope-based cryptographic control.
- New Password2 fields generally use the instancelevelglideencrypter submodule.
- Key rotation is supported on submodules but not on the parent module.
- Domain separation is not supported for KMF Password2 fields, but Password2 is compatible with on-premise instances.
- Starting with the Vancouver release, administrators can deprecate older 3DES encryption in favor of AES encryption for Password2 fields.
Legacy vs Current Password2
The Zurich release upgrades Password2 to comply fully with KMF and NIST 800-57 key wrapping guidelines, improving security by using FIPS 140-2-L3 protection and application-scoped submodules with unique AES 256 GCM keys.
Using Password2 Fields in Scripts
- Scripts must run under the same scope as the table containing the Password2 field.
- Use setDisplayValue() to encrypt and set the password value; do not use setValue().
- Use getDecryptedValue() to decrypt and retrieve the stored password. This method is globally available, regardless of scope.
- The GlideEncrypter() API should not be used for Password2 fields.
Example to encrypt a password:
var gr = new GlideRecord('tablexyz');gr.pwd2columnname.setDisplayValue('my@Password');gr.insert();
Example to decrypt a password:
var gr = new GlideRecord('tablexyz');gr.query();gr.next();var ge = gr.getElement('pwd2columnname');var decrypted = ge.getDecryptedValue();
KMF Password2 Migration
When upgrading from previous releases, a migration job re-encrypts legacy Password2 field data using the KMF submodule keys, provided the application scope has a corresponding submodule. This ensures legacy data is upgraded to use the improved KMF encryption scheme and key hierarchy protection.
Practical Benefits for ServiceNow Customers
- Allows secure storage of passwords with two-way encryption inside ServiceNow instances.
- Ensures compliance with industry standards for cryptographic key management and encryption security.
- Provides application scope-based encryption keys for better security segregation.
- Supports encryption key lifecycle management, including rotation on submodules.
- Enables straightforward scripting for encryption and decryption operations without needing additional encryption APIs.
- Ensures a smooth transition for customers upgrading from legacy Password2 encryption.
Supported by the Key Management Framework, use the Password2 (2-way encrypted) field type to encrypt and decrypt custom fields with segregation of duties, key protection, and life-cycle management. It works in accordance with NIST 800-57 guidelines and provides FIPS 140-2-L3 protection.
Password2 is a text field that stores passwords with two-way encryption. The two-way encryption stores passwords as a secure encrypted value that can be decrypted within the instance.
Activation
Password2 functionality is active by default. It’s controlled by the glide.kmf.encrypter.enabled property, which is set to true for all new instances and upgrades. You don’t need to enable Field Encryption Enterprise to use Password2.
How Password2 works
The Key Management Framework provides a base system parent cryptographic module cm_glide_encrypter. This module provides a cryptographic specification and a key that can decrypt legacy Password2 fields.
This cm_glide_encrypter module can have submodules, each with their own module key and specification. If a submodule is present with the same application scope as the application where the Password2 field is, the system uses the submodule. For example, if a table in the ServiceNow® Customer Service application has a submodule, and you write information to a Password2 field on a table in the Customer Service application scope, the cryptographic process calls the Customer Service submodule. The process also uses that submodule's key for encryption and decryption with a unique AES 256 GCM encryption key. One submodule per application scope is allowed. Parent module isn’t always used for global scope. Generally, new fields use instance_level_glide_encrypter.
Domain separation and on-premise customers
KMF Password2 doesn’t support domain separation. You can use Password2 with on-premise instances.
Legacy Password2 and the current Password2
In Zurich, the existing Password2 field has been upgraded.
- Uses the Key Management Framework in accordance with NIST 800-57 key wrapping guidelines and provides FIPS 140-2-L3 protection for the entire key hierarchy.
- Includes capabilities to create dedicated and unique KMF Password2 submodules for specific applications, providing control through application scope. Each submodule has its own unique AES 256 GCM encryption key.
Password2 fields in scripts
When accessing Password2 fields with a script, run the script under the same
scope as the table scope. Use setDisplayValue() to encrypt Password2 values and getDecryptedValue() to decrypt and read
the value.
GlideEncrypter() API on Password2 fields.
var gr = new GlideRecord(‘table_xyz’);
gr.pwd2column_name.setDisplayValue('my@Password');
gr.insert();
setValue() API for the Password2 field.This example script shows you how to decrypt the same field to retrieve the value:
var gr = new GlideRecord(‘table_xyz’);
gr.query();
gr.next();
var ge=gr.getElement('pwd2column_name');
var ged1 = ge.getDecryptedValue();
getDecryptedValue() API isn’t scoped. It’s available globally.- When you encrypt data in a Password2 field, the system determines the scope of the application where the Password2 field resides.
- The system then looks for a submodule of the cm_glide_encrypter parent module with the same scope as the application if the property is set to true.Note:If a submodule with the same scope is present, it uses the submodule specification and key to perform the encryption.
This illustration explains how your instance decrypts data in Password2 fields:
KMF Password2 migration job
A migration job is provided for customers upgrading from previous releases. It takes data encrypted with a legacy Password2 encryption and re-encrypts it with the key in a KMF Password2 submodule key. The re-encryption only applies to tables with Password2 fields in application scopes that also have submodules created for that scope. For example, a legacy Password2 field in XYZ_example application (with XYZ_example application scope) is re-encrypted only if a submodule for the XYZ_example application scope exists under the cm_glide_encrypter parent module.
The KMF Password2 encryption keys in the submodule are protected (envelope encrypted) in the KMF key hierarchy.