Deprecate GlideEncrypter usage of 3DES for password2 fields

  • Release version: Yokohama
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Deprecate GlideEncrypter Usage of 3DES for password2 Fields

    This update focuses on discontinuing the use of the outdated 3DES encryption algorithm for password2 fields in ServiceNow instances, transitioning exclusively to the more secure Advanced Encryption Standard (AES) via the Key Management Framework (KMF). Starting with the Vancouver release, administrators can fully deprecate 3DES to enhance security and ensure NIST compliance.

    Show full answer Show less

    Key Considerations Before Deprecation

    • Data Transfer Between Instances: When moving password2 encrypted data across instances, it is essential to enable KMF Key Exchange to share encryption keys between source and target instances, allowing successful decryption.
    • Application Usage: For applications utilizing password2 data, ensure that KMF Resource Exchange is installed to support key sharing and decryption on target instances.
    • Data Export: If exporting password2 data via XML or Data Sources, confirm that the target instance has KMF Key Exchange enabled to maintain decryption capability.
    • Other Transfer Methods: For any other methods of transferring password2 encrypted data, configure KMF Resource Exchange to ensure decryption compatibility on the receiving instance.
    • Downgrading Instances: If downgrading an instance (with password2 fields longer than 125 characters) after 3DES deprecation, contact ServiceNow Support to disable 3DES deprecation before cloning, using the specified reason “Clone downgrade pre-requisite for password2 support.”
    • Legacy password2 Fields: 3DES encryption supported legacy password2 data conversion is unavailable after full deprecation. Partial deprecation requests are available if this feature is still needed.

    Deprecation Process

    To deprecate 3DES encryption safely, follow the detailed step-by-step instructions provided in knowledge base article KB1704481. Administrative elevation to the Security Administrator role is required to access the Security Compliance module and perform these actions.

    Post-Deprecation Behavior

    • Password2 fields can still decrypt existing 3DES encrypted data but will no longer encrypt new data using 3DES.
    • When a password2 field value is updated, the system replaces any 3DES encrypted text with AES encrypted text managed by KMF.
    • An error message ("Action Aborted: Password value cannot be saved due to technical issue") may appear during password saves in some cases; refer to KB1296997 for troubleshooting guidance.

    Implications for ServiceNow Customers

    By deprecating 3DES and adopting AES exclusively via KMF, your instance gains stronger encryption security, aligns with compliance standards, and ensures smoother data interoperability between instances. Prior to implementation, review your data transfer and application integration scenarios to configure necessary KMF exchanges. Proper planning avoids data access issues and supports future instance upgrades or downgrades.

    Deprecate GlideEncrypter usage of 3DES encryption standard on your instance ensure that your instance uses the more secure Advanced Encryption Standard (AES) exclusively for the encryption and decryption of your Password2 data.

    Beginning in Rome, password2 data is protected using the Key Management Framework, which uses the more modern Advanced Encryption Standard (AES) algorithm. However, some configurations and fallbacks in password2 logic can still use the 3DES algorithm for encryption and decryption.

    In the Vancouver release, administrators can choose to deprecate the 3DES algorithm entirely. After completing this change, your instance uses AES encryption exclusively for all encryption and decryption tasks relating to password2 data. This change provides better instance security than compared with 3DES encryption, and is necessary to remain NIST compliant.

    Considerations before deprecation

    Transferring password2 data between instances

    When transferring password2 encrypted texts to other instances, you must ensure that KMF Key Exchange is enabled between source and target instances. This configuration ensures that the keys used to encrypt password2 texts are available on both instances to decrypt the password2 encrypted texts. Before deprecating 3DES, Consider the following use cases that can impact password2 data between instances.

    • If you have applications on your instance that use password2 data, ensure that KMF Resource Exchange is installed on that instance. KMF Resource Exchange ensures that instance level keys used to encrypt the password2 data on the source instance are available on the target instances for decryption. For more information, see Key Management Framework Resource Exchange.
    • If you plan on exporting password2 data through XML or Data Sources, ensure that the target instance has KMF Key Exchange enabled. This configuration ensures that the instance level keys used to encrypt the password2 data on the source instance are available on the target instances for decryption. For details on this configuration, see Key Management Framework Key Exchange.
      Important:
      The examples above are more common scenarios, but if you’re using any other means of transferring password2 encrypted text between instances, you must configure KMF Resource Exchange to ensure the target instance can decrypt password2 data.
    Downgrading an instance after the 3DES deprecation

    The following only applies for instances that have password2 fields have input lengths greater than 125 characters and you have already deprecated 3DES encryption.

    To downgrade an instance to release earlier than Vancouver via Instance Cloning, take the following steps before initiating the clone.

    1. Check if data preservation is configured to preserve password2 field data.
    2. If yes, then before requesting a clone, contact ServiceNow support to disable 3DES deprecation. In the Reason field, use “Clone downgrade pre-requisite for password2 support.”
    Legacy password2 fields

    Your instance uses 3DES encryption to convert password2 data to legacy (pre-Rome) password2 data. After deprecating 3DES encryption, this option is no longer available. If you still need this feature, request partial deprecation (see details in the next section).

    How to deprecate 3DES

    After you’ve reviewed the preceding use cases, use knowledge base article KB1704481, for a step by step process to safely deprecate the usage of DES or Triple DES algorithm in instance. For details see KB1704481.

    Important:
    You must elevate to security admin to see the Security Compliance module and perform these steps. For details on that process, see Elevate to a privileged role.

    After GlideEncrypter deprecation

    After the deprecation process is complete, the following information applies to your instance.
    • password2 fields still support decryption (but not encryption) of 3DES encrypted data.
    • Existing 3DES encrypted data in password2 fields remain as is until the field value is updated by a user or workflow.
    • Any update to the value of a password2 field removes 3DES encrypted text and replaces it with the text encrypted by KMF using AES.
    • In some situations, your instance may display an error when saving password data:

      Action Aborted: Password value cannot be saved due to technical issue. Please see KB1296997 for help.

      If you see this error refer to support information in knowledge base article KB1296997.