Insights Did you know: ServiceNow’s GlideEncrypter API is planned for deprecation?

Did you know: ServiceNow’s GlideEncrypter API is planned for deprecation?

Are you leveraging the GlideEncrypter class for your encryption operations? If you are unsure of how to answer that, there’s a way to find out! ServiceNow has a capability called “instance scan” that you can run (or schedule) a suite of checks (or individual checks too) to find anomalies against recommendations, maintenance items, along with other important measures related to security. Of course, the instance scan does focus on aligning organizations with best practices!

Now is the time to perform a scan for the deprecation of the GlideEncrypter API, and update code to the recommended alternatives from ServiceNow. When the Xanadu release is live, calls to the GlideEncrypter API will no longer be permitted. Work with your ServiceNow administrator(s) to run the individual check by navigating to the Instance Scan application menu:

Query for “Deprecated API: GlideEncrypter” by name. Once opened, click the “Test Check” button.

It will take a little bit to run and find every instance of the usage, but findings will be provided to you within the Scan Findings related list. See the next section below for the recommended approaches toward safer encryption.

GlideElement – setDisplayValue()

If your organization is interfacing with dictionary entries that are of the password2 type, leverage this API for encrypting values. This is very straight forward to implement given that it’s working directly with a field. Simply instantiate a new class of GlideElement and use the setDisplayValue() method to encrypt a specific value into a password2 field. This method needs a field to return a successful response.

GlideElement – getDecryptedValue()

If you absolutely must parse an encrypted value out of the database, there is a method for that. Leverage the getDecryptedValue() method to decrypt an encrypted value. I will mention that it is best practice to not leave that value anywhere in plain text (obviously), rather work with it in memory and clean up the script operation afterwards. This method needs a field to return a successful response.

Here is the Washington DC API reference documentation for the class and methods mentioned above.

Cryptographic Module (KMF)

If you haven’t heard of Key Management Framework, it’s a plugin that’s already activated and installed on your instance. It assists in cryptographic operations and is another avenue for encrypting sensitive information. Additionally, it conforms to NIST guidelines so that your organization’s instance security is always compliant. It truly is a framework, but a scalable approach going forward to leverage only the best algorithms with an always-evolving ecosystem.

The out-of-box cryptographic modules are read-only and have a reject access policy, which will require you to create a new cryptographic module to be leveraged with your scripts. But fear not, it will only take a few clicks to get this up and running. See below:

  1. Start off by creating a new cryptographic module. The module name only allows for lowercase characters, numbers, and underscores. Be sure to use the default crypto spec template, as it contains all the respective algorithms for whatever operation you’re attempting to achieve, which is symmetric data encryption in this case. A final noteworthy mention is to set the default module access policy value to “Track”, as it appears to be a mandatory setting per the very first article I referenced above.
  2. Next, create a crypto specification for what your organization is trying to achieve. In this case, we’ll be encrypting values (decryption is possible too with this method). Choose the “Symmetric Data Encryption/Decryption” for the crypto purpose field. By default, the “AES 256 CBC” algorithm is selected for you.
  3. A lifecycle definition is created for you but be sure to update any settings that may be warranted for your situation (i.e.: relative duration). Provide a key alias, generate the key (I chose auto generate key for my setup), and you should be good to go!

Noteworthy Observations

  • As always, be sure to test any changes to any script to ensure the desired outcome is met.
  • Accessing encrypted data through the cryptographic module is facilitated through access policies. Be sure to review the module policy exceptions for access, so that data can be accessed.
  • Looking for more? There’s an instance scan suite (among others) named “Deprecated APIs” that will further ensure your instance security is hardened. There is additional background information within the check that can assist with upgrading custom scripts/processes.