Deprecate GlideEncrypter usage of 3DES for password2 fields

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Deprecate GlideEncrypter usage of 3DES for password2 fields

    This guidance helps ServiceNow customers transition from the outdated 3DES encryption algorithm to the more secure Advanced Encryption Standard (AES) exclusively for encrypting and decryptingpassword2fields. Starting in the Rome release, password2 data encryption uses the Key Management Framework (KMF) with AES, but some fallback options still rely on 3DES. The Vancouver release introduces the ability to fully deprecate 3DES, enhancing security and ensuring NIST compliance.

    Show full answer Show less

    Key Considerations Before Deprecation

    • Transferring password2 Data Between Instances: Ensure KMF Key Exchange is enabled on both source and target instances to share encryption keys necessary for decrypting password2 data during transfers.
    • Using Applications with password2 Data: Install KMF Resource Exchange on instances running applications that handle password2 data to facilitate key sharing.
    • Exporting password2 Data via XML or Data Sources: Confirm target instances have KMF Key Exchange enabled to decrypt incoming password2 encrypted texts.
    • If you use other methods to transfer password2 encrypted text, configure KMF Resource Exchange accordingly to maintain decryption capability.
    • Downgrading Instances After Deprecation: For instances with password2 fields longer than 125 characters that have deprecated 3DES, contact ServiceNow support to disable 3DES deprecation before cloning to versions earlier than Vancouver.
    • Legacy password2 Fields: Deprecating 3DES disables conversion to legacy password2 data. To retain legacy support, request a partial deprecation.

    Deprecation Process

    Follow the detailed step-by-step instructions provided in knowledge base article KB1704481 to safely deprecate 3DES usage. You must have the Security Admin role elevated to access the Security Compliance module and perform these actions.

    After Deprecation

    • password2 fields will continue to decrypt existing 3DES-encrypted data but will no longer encrypt new data using 3DES.
    • Any updates to password2 field values replace 3DES encryption with AES encryption managed by KMF.
    • If you encounter the error "Action Aborted: Password value cannot be saved due to technical issue.", refer to knowledge base article KB1296997 for troubleshooting guidance.

    Benefits for ServiceNow Customers

    This deprecation enhances instance security by eliminating the weaker 3DES algorithm and ensuring all password2 data is protected with AES, a stronger, NIST-compliant standard. It is essential for customers to plan key management configurations carefully before deprecation to maintain smooth data transfers and backups across instances.

    Deprecate GlideEncrypter usage of 3DES encryption standard on your instance ensure that your instance uses the more secure Advanced Encryption Standard (AES) exclusively for the encryption and decryption of your Password2 data.

    Beginning in Rome, password2 data is protected using the Key Management Framework, which uses the more modern Advanced Encryption Standard (AES) algorithm. However, some configurations and fallbacks in password2 logic can still use the 3DES algorithm for encryption and decryption.

    In the Vancouver release, administrators can choose to deprecate the 3DES algorithm entirely. After completing this change, your instance uses AES encryption exclusively for all encryption and decryption tasks relating to password2 data. This change provides better instance security than compared with 3DES encryption, and is necessary to remain NIST compliant.

    Considerations before deprecation

    Transferring password2 data between instances

    When transferring password2 encrypted texts to other instances, you must ensure that KMF Key Exchange is enabled between source and target instances. This configuration ensures that the keys used to encrypt password2 texts are available on both instances to decrypt the password2 encrypted texts. Before deprecating 3DES, Consider the following use cases that can impact password2 data between instances.

    • If you have applications on your instance that use password2 data, ensure that KMF Resource Exchange is installed on that instance. KMF Resource Exchange ensures that instance level keys used to encrypt the password2 data on the source instance are available on the target instances for decryption. For more information, see Key Management Framework Resource Exchange.
    • If you plan on exporting password2 data through XML or Data Sources, ensure that the target instance has KMF Key Exchange enabled. This configuration ensures that the instance level keys used to encrypt the password2 data on the source instance are available on the target instances for decryption. For details on this configuration, see Key Management Framework Key Exchange.
      Important:
      The examples above are more common scenarios, but if you’re using any other means of transferring password2 encrypted text between instances, you must configure KMF Resource Exchange to ensure the target instance can decrypt password2 data.
    Downgrading an instance after the 3DES deprecation

    The following only applies for instances that have password2 fields have input lengths greater than 125 characters and you have already deprecated 3DES encryption.

    To downgrade an instance to release earlier than Vancouver via Instance Cloning, take the following steps before initiating the clone.

    1. Check if data preservation is configured to preserve password2 field data.
    2. If yes, then before requesting a clone, contact ServiceNow support to disable 3DES deprecation. In the Reason field, use “Clone downgrade pre-requisite for password2 support.”
    Legacy password2 fields

    Your instance uses 3DES encryption to convert password2 data to legacy (pre-Rome) password2 data. After deprecating 3DES encryption, this option is no longer available. If you still need this feature, request partial deprecation (see details in the next section).

    How to deprecate 3DES

    After you’ve reviewed the preceding use cases, use knowledge base article KB1704481, for a step by step process to safely deprecate the usage of DES or Triple DES algorithm in instance. For details see KB1704481.

    Important:
    You must elevate to security admin to see the Security Compliance module and perform these steps. For details on that process, see Elevate to a privileged role.

    After GlideEncrypter deprecation

    After the deprecation process is complete, the following information applies to your instance.
    • password2 fields still support decryption (but not encryption) of 3DES encrypted data.
    • Existing 3DES encrypted data in password2 fields remain as is until the field value is updated by a user or workflow.
    • Any update to the value of a password2 field removes 3DES encrypted text and replaces it with the text encrypted by KMF using AES.
    • In some situations, your instance may display an error when saving password data:

      Action Aborted: Password value cannot be saved due to technical issue. Please see KB1296997 for help.

      If you see this error refer to support information in knowledge base article KB1296997.