Encryption Key Management release notes
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Encryption Key Management release notes
The ServiceNow® Encryption Key Management application in the Zurich release enhances data protection through advanced encryption and key lifecycle management based on NIST 800-57 standards and FIPS 140-2-L3 key protection. It supports tighter control over encryption keys and improves auditability and compliance by logging key management and field encryption changes.
Show less
Key Features
- Updated Encryption Standards: The GlideEncrypter API now uses AES256-GCM encryption via the Key Management Framework, replacing the deprecated 3DES standard, aligning with NIST guidance post-2023.
- Audit Logging: Changes to Key Management and Field Encryption records—including Encrypted Field Configurations, Module Access Policies, and Cryptographic Modules—are logged by default in the Sys Audits [sysaudit] table, enhancing transparency and traceability.
- GlideEncrypter Control: Administrators can enable or disable GlideEncrypter using the glide.security.glideencrypter.allow system property on upgraded instances; this property is disabled on new Zurich instances to enforce stronger encryption standards.
- UI Enhancements: The Coral theme is now the default for portals, web, and mobile experiences, offering a refreshed, brand-neutral interface with optional dark mode for improved user experience.
- Activation and Licensing: Encryption Key Management is part of the Platform Encryption subscription bundle, including Field Encryption Enterprise and Cloud Encryption, with the Enterprise plugin activated via the com.glide.now.platform.encryption plugin.
Important Upgrade Information
For customers upgrading to Zurich:
- GlideEncrypter has been updated to use AES256-GCM encryption but can still be configured to legacy 3DES only through ServiceNow support, although 3DES is deprecated and not recommended.
- New Zurich instances do not support GlideEncrypter using 3DES and have all base system scripts updated to alternative encryption methods.
Related Features
- Encryption and Key Management: Provides cryptographic conversion of data to secure sensitive information.
- Key Management Framework: Allows full customization and management of cryptographic operations on your ServiceNow instance.
- Code Signing: Enables creation and verification of digital signatures to ensure data integrity and authenticity, available as part of the Vault component.
The ServiceNow® Encryption Key Management application protects your data by using encryption, tightly controlled key access, National Institute of Standards and Technology (NIST) 800-57-based key life-cycle management, and FIPS 140-2-L3 key protection. Encryption Key Management was enhanced and updated in the Zurich release.
Encryption Key Management highlights for the Zurich release
- See the changes to the Key Management and Field Encryption records that are now logged on the Sys Audits [sys_audit] table.
- The GlideEncrypter API has been updated and now uses AES256-GCM encryption via the Key Management Framework.
- Enable or disable GlideEncrypter by using the glide.security.glideencrypter.allow system property.
See Key Management Framework for more information.
Important information for upgrading to Zurich
- In previous releases, the GlideEncrypter API used the three-key Triple Data Encryption Standard (3DES) encryption standard, which NIST 800-131A Rev 2 has recommended against using after 2023. The following changes are taking place in the Zurich release in preparation for a full deprecation of GlideEncrypter/3DES in the future:
- New Zurich instances can’t use GlideEncrypter. All base system scripts have been changed to use alternative encryption processes.
- if you’re upgrading your Zurich instances, you can still GlideEncrypter, which has been updated to use AES256-GCM encryption via the Key Management Framework.
- Learn more about 3DES deprecation in KB1704481.
New in the Zurich release
- Keep track of Field Encryption and Key Management changes
- By default, the changes to the records on these tables are now logged to the Sys Audits [sys_audit] table:
- Encrypted Field Configurations [sys_platform_encryption_configuration]
- Module Access Policies [sys_kmf_crypto_caller_policy]
- Cryptographic Modules [sys_kmf_crypto_module]
UI changes
- Coral theme
- Coral is now the default theme for new portal, web, and mobile experiences with Next Experience or Core UI enabled. This theme provides a fresh look and feel, featuring brand-neutral illustrations to enhance your user experience. A dark theme option is available for web and mobile experiences.
Changed in this release
- Updates to GlideEncrypter functionality
- The GlideEncrypter API has been updated to use AES256-GCM encryption via the Key Management Framework. If needed, your instance can be changed to use legacy 3DES encryption, but this task can only be done by ServiceNow support.
- Disable GlideEncrypter on your instance
- GlideEncrypter can be enabled or turned off using the glide.security.glideencrypter.allow system property. This property is unavailable on new Zurich instances, but administrators with the
security_admin role can edit this property in upgraded instances. When this system property is set to false, users see this error when attempting to run
GlideEncrypter.
Unsupported call to GlideEncrypter. Details: GlideEncrypter is deprecated and now returns null, please refer KB1320986
Activation information
The Platform Encryption subscription bundle is a group commercial entitlement that includes Field Encryption Enterprise and Cloud Encryption.
Field Encryption Enterprise is the unlimited license of Field Encryption. The Enterprise plugin is available with the activation of the com.glide.now.platform.encryption plugin. For details, see Encryption and Key Management subscription bundle.