We're reclaiming inactive PDIs to keep them available for active builders. Learn what's changing, who's affected, and how to protect your work. Read More

MID Server to Instance - hints on how to achieve hybrid encryption of sensitive data

stevemac
Tera Guru

Retrieving sensitive data from a 3rd party system via a MID Server script file (PowerShell) that invokes an API call (Invoke-RestMethod).  Want to encrypt it before transmission to the instance and decrypt it there

 

appreciate if anyone can confirm if the following is possible and provide some insight on how to do it or alternatives to achieve the same (as have been failing)

 

ServiceNow version: Zurich

PowerShell version: 7

 

Powershell

  • generate AES Key and IV
  • encrypt sensitive data with AES
  • encrypt AES key with RSA (using public key)
  • return encrypted sensitive data, AES IV, encrypted AES Key to the instance

Instance (Flow Action)

  • decrypt the encrypted AES Key (with RSA Private key)
  • decrypt the sensitive data using the AES Key and IV

My approach has been

  • Instance: new Cryptographic module to handle asymmetrical decryption.  Cert with public key exported and placed on MID Server host
  • PowerShell script
    • is getting the data from the 3rd party system
    • is creating AES Key and IV and encrypting the sensitive data
    • is encrypting AES Key with RSA (RSAEncryptionPadding is OaepSHA256)
    • is base64 encoding the IV, encrypted key and encrypted data
    • results are stored in object and returned to the instance
  • Instance (Flow Action)
    • cannot decrypt the encrypted AES key
      • originally failed with invalid char (2f) as base64 encoding in powershell != KMFBase64
      • all other attempts failed with "ASYMMETRIC_DECRYPTION, Cause : Too much data for block: maximum 256 bytes"
    • I do not know how to call the KMF utilities to decrypt using AES as KMF module not present with key details

I will share the code once I have done more troubleshooting and cleaned it up, but hoping someone can chime in and confirm approach is valid / hints on how to do it. 

 

thanks,

 

Steve

 

1 REPLY 1

patelbhargavi07
Tera Contributor

Your approach is valid hybrid encryption for AES for data + RSA for the AES key, but the error "Too much data for block" usually means you're trying to RSA-decrypt the wrong data or data larger than the RSA key size allows.

A few things to verify like

  • Use the same RSA padding on both sides 

  • RSA should encrypt only the AES key, not the encrypted payload.

  • Ensure the AES key size (16/24/32 bytes) is within the RSA limit.

  • Verify Base64 encoding/decoding is consistent between PowerShell and ServiceNow.

If KMF doesn't expose the AES decryption APIs you need in Flow Designer, consider using ServiceNow Cryptographic Support APIs or Perform both AES encryption and decryption on the ID Server, sending only the required result to the instance if your security requirements allow it.

Please Accept the solution if it assisted you with your question & Mark this response as Helpful.