Understanding client side Secrets Management

  • 릴리스 버전: Australia
  • 업데이트 날짜 2026년 03월 12일
  • 소요 시간: 3분

    • Learn how use Secrets Management to manage access to secrets and groups.

    Terminology

    Client side secrets management is designed to provide a method for managing secrets without the use of proxies, and without giving ServiceNow access to your decrypted data. To understand this process, begin with the following encryption terms.

    Term Description
    Symmetric encryption Symmetric encryption uses a single same key both to encrypt and decrypt data. If data is encrypted with a symmetric key, this key is all that is needed to decrypt it.
    Symmetric key The symmetric key encrypts a secret, turning your clear text password into unreadable cyphertext.
    Asymmetric encryption Asymmetric Encryption uses two keys, one to encrypt and the other to decrypt.
    Public key

    The public key is one half of the asymmetric key pair. This key is stored on your instance, which uses the key to encrypt a symmetric key. This encrypted symmetric key can only be decrypted when paired with the private key.
    Private key

    The private key is one half of the asymmetric key pair. This key is stored in a keystore on your MID server. ServiceNow has not access to this key.

    Combined with the public key, the asymmetric key pair is used to decrypt your secrets.

    Client side encryption process

    A symmetric key encrypts a credential (in this case, an admin password), changing it from readable cleartext into encrypted cyphertext. Symmetric key encryption
    The symmetric key (represented in green) can be applied to the credential to encrypt or decrypt it. Credential encrypted with symmetric key encryption
    At this point, asymmetric encryption begins using public(yellow) and private key(blue) keys. Public and private keys
    The public key encrypts the credential along with the symmetric key. The symmetric key is now protected, so it can’t be used to decrypt the credential. Although the public key can perform this encryption, it can’t be used alone to decrypt. Public key used to encrypt the symmetric key.
    After being encrypted with the public key, the private key is needed to decrypt the credential. Since the customer alone has this key, they’re the only ones who may access the encrypted credential. Public key used to encrypt the symmetric key.