Encryption Key Management release notes

Watch

Save as PDF

Share this page

Feedback

Vancouver release notes

HomeVancouver Release NotesVancouver release notesLearn about the Vancouver releaseRelease notes for upgrading from UtahFeatures and changes by productNow Platform security release notesEncryption Key Management release notes

Table of Contents

Encryption Key Management release notes

Release version:
Vancouver
Yokohama
Xanadu
Washington DC
UpdatedAug 3, 2023
3 minutes to read

Vancouver
Release Notes and Upgrades

The Vancouver release is no longer supported. As such, the product documentation and release notes are provided for informational purposes only, and will not be updated.

The Encryption Key Management application lets you protect the data in your instance with encryption, a tightly controlled key-access, NIST 800-57-based key life-cycle management, and FIPS 140-2-L3 key protection. Encryption Key Management was enhanced and updated in the Vancouver release.

Encryption Key Management highlights for the Vancouver release

Use agent-to-agent credential sharing within Secrets Management, which is used for the granular management of access to your passwords.
Use the improved algorithm and record signing for Edge Encryption.
Use Edge Encryption for MySQL 8 order-preserving and tokenization encryption databases.

See Encryption and Key Management for more information.

New in the Vancouver release

Agent-to-agent credential sharing

Use agent-to-agent credential sharing to reduce the administration that is required with client-accessible secrets when you add new MID servers. Each MID server gets its own unique key pair and can now share CAS credentials with other MID servers.

Algorithm improvements for Edge Encryption

Use the updated Edge Encryption that has stronger encryption algorithms for non-FIPS instances. This stronger encryption improves the security for your configuration records and the password field's edgeencryption.properties file.

Record signing improvements for Edge Encryption

Use the updated record signing feature ofEdge Encryption where you can do the following actions:

Use elliptical curve key pairs for signing the configuration records.
Use an edge proxy to validate the configuration record signatures with multiple keys.
Schedule jobs to re-sign the customer configuration records with a new key.

Edge Encryption supports MySQL 8

Use the order-preserving encryption and encryption patterns that require you to configure an Oracle MySQL database for the Edge Encryption proxy server. MySQL 8 is supported as the order-preserving and tokenization encryption database.

New field type support for Field Encryption Enterprise

Use the updated field encryption that now supports the phone and email field types.

Key Management Framework Map Visualization

If you're a key management framework (KMF) administrator or Crypto Manager, use map visualizations to evaluate the individual components that make up your module access policies. You can study the relationship between the policies, and debug if necessary so that the key access rights are properly administrated.

Changed in this release

Deprecate GlideEncrypter usage of 3DES for password2 fields: Administrators may request 3DES deprecation ensure that your instance uses the more secure Advanced Encryption Standard (AES) exclusively for the encryption and decryption of your Password2 data. This configuration change is necessary to meet NIST compliance, and ensures that your passwords no longer rely on static key encryption.

Deprecations

The following system properties have been deprecated and can’t be changed. These properties now default to the safe value that is listed in the following table. For a use case where the property has to be changed, contact customer support.

Search:


Property	Safe value	Description
com.glide.snap.enable_scan	true	Enables antivirus scanning on the instance by default. Contact customer support for use cases where the property must be set to false.
glide.security.sandbox_no_unsafe_methods	true	Prevents dangerous methods from being run in the JavaScript sandbox on an instance.
glide.security.strict.updates	true	Verifies that a user has the appropriate access control list (ACL) rule permission to update a form on form submission or field update.
glide.ui.escape_text	true	Escapes XML values at the parser level for the user interface. Prevents the reflected and stored cross-site scripting attacks.
glide.ui.security.codetag.allow_script	false	Disallows the rendered HTML in journal fields and forms to prevent the cross-site scripting (XSS) attacks when malicious HTML is inserted between the code tags.

The GlideEncrypter API is planned for deprecation, and will be unavailable staring in the X release. For information on alternatives to these APIs, see: Alternatives to deprecated GlideEncrypter APIs

Activation information

The ServiceNow Platform Encryption subscription bundle is a group commercial entitlement that includes Column Level Encryption Enterprise, Cloud Encryption, and Database Encryption.

Column Level Encryption Enterprise is the unlimited license of Column Level Encryption. The Column Level Encryption Enterprise plugin is available with the activation of the com.glide.now.platform.encryption plugin. For details, see Encryption and Key Management subscription bundle.

Vancouver Release Notes

Filters

Versions

Products