TL;DR: I built a working PGP encryption flow for HR payroll case attachments in ServiceNow. Drop a file onto sn_hr_core_case_payroll, and within a minute the record auto-generates an encrypted .pgp copy - using a simple "queue + retry" pattern and a lightweight, self-hosted OpenPGP encryption service.

The POC version also includes a Classic UI page to test encryption/decryption with OpenPGP.js (browser-based, WebCrypto required). In production, only the customer public key is used in ServiceNow and the customer decrypts with their private key outside the platform. OpenPGP encryption is hybrid (session key + public key wrapping), which is why it’s practical for files.

What you'll get in this post: architecture diagrams, pitfalls I hit (Jelly + template literals, attachment file-type restrictions), and copy/paste patterns for Business Rule + Scheduled Job + Script Include. ServiceNow’s Attachment API behavior and limits are also covered.