About client-side Secrets Management

  • Release version: Zurich
  • Updated May 1, 2026
  • 1 minute to read

    • Learn how use Secrets Management to manage access to secrets and groups.

    Terminology

    Client-side secrets management is designed to provide a method for managing secrets without the use of proxies, and without giving ServiceNow access to your decrypted data. To understand this process, begin with the following encryption terms.

    Term Description
    Symmetric encryption Symmetric encryption uses a single same key both to encrypt and decrypt data. If data is encrypted with a symmetric key, this key is all that is needed to decrypt it.
    Symmetric key The symmetric key encrypts a secret, turning your clear text password into unreadable cyphertext.
    Asymmetric encryption Asymmetric Encryption uses two keys, one to encrypt and the other to decrypt.
    Public key

    The public key is one half of the asymmetric key pair. This key is stored on your instance, which uses the key to encrypt a symmetric key. This encrypted symmetric key can only be decrypted when paired with the private key.
    Private key

    The private key is one half of the asymmetric key pair. This key is stored in a keystore on your MID Server. ServiceNow has no access to this key.

    Combined with the public key, the asymmetric key pair is used to decrypt your secrets.

    Client-side encryption process

    A symmetric key encrypts a credential (in this case, an admin password), changing it from readable cleartext into encrypted cyphertext. Symmetric key encrypts credential
    The symmetric key (represented in green) can be applied to the credential to encrypt or decrypt it. Symmetric key can be applied to credential for encryption or decryption
    At this point, asymmetric encryption begins using public (green) and private key (blue) keys. Asymmetric encryption begins using keys
    The public key encrypts the credential along with the symmetric key. The symmetric key is now protected, so it can’t be used to decrypt the credential. Although the public key can perform this encryption, it can’t be used alone to decrypt. Public key encrypts the credential with the symmetric key
    After being encrypted with the public key, the private key is needed to decrypt the credential. Since the customer alone has this key, they’re the only ones who may access the encrypted credential. The credential is now encrypted with the public key which needs the private key to decrypt