How to: Set Up GPG Encryption for Files

Overview

GPG (GNU Privacy Guard) encryption helps make the SFTP (secure file transfer protocol) process more secure. In this article, you'll learn how to GPG encrypt files. First, you'll see how to set up an Encryption (GPG) service. Then, you'll learn how to use the internal Unqork service called GPG Encrypt a File. Finally, the internal Unqork service in a Plug-In component to encrypt a file using the details provided in your Encryption (GPG) service.

What You'll Learn

In this how-to guide, you’ll learn how to set up the GPG Encryption service and build a module to send encrypted files.

What You Need

For the module, you need:

• 1 Initializer component

• 1 Hidden component

• 1 Plug-In component

• 1 File Storage component

These instructions assume you have an open module saved with a title.

Preconfiguration

Before configuring the module, set up the encryption service to connect with the party receiving and decrypting the files.

Set Up the Encryption (GPG) Service

First, you need to set up an Encryption (GPG) service in Services Administration.

You'll need to get the public key from the party that's receiving and decrypting the files. They'll have set up the public/private GPG keypair.

1.

At the top right of the Unqork Designer Platform, click Settings.

2.

From the Settings drop-down, select Administration.

3.

Under Integration, select Services Administration.

4.

In the Service Title field, enter a title for your service. For example, GPG Encryption.

5.

In the Service Name field, enter a name for your service. For example, GPG-encryption.

6.

From the Type of Authentication drop-down, select Encryption (GPG).

7.

In the GPG Public Key (Armored) field, enter the public key.

8.

Click Add Service.

After enabling the GPG Encryption service, return to the Module Builder.

Turn on Server-Side Execute Only

It's best practice to enable the Server Side Execution Only toggle for modules making API calls.

This step is optional but helps secure modules that deal with sensitive data or logic.

1.

On the Module Builder header, click the elispsis (...) button. A modal displays.

2.

Click Settings. The Settings menu displays.

3.

Set the Server Side Execution Only toggle to ON.

4.

Click Save.

Configure the Encryption Module

Now you're ready to set up the module that will encrypt your file, then send it via SFTP.

Files encrypted using the Encryption (GPG) internal service must be in binary form, not Base64. If using a Plug-In component to get your file to encrypt, be sure to set the Expect Binary Response toggle to ON.

Here's how the final configuration looks in the Module Builder:

Configure the Hidden Component

This Hidden component stores the file that you want to encrypt.

This configuration doesn't include steps for passing a value to this Hidden component. When applying these steps to your use case, remember to pass the file you want to encrypt into this Hidden component.

1.

Drag and drop a Hidden component onto your canvas.

2.

In the Property ID and Canvas Label Text fields, enter fileToEncrypt.

3.

Click Save.

Configure the Initializer Component

Here, you'll set up an Initializer to trigger the Plug-In component you'll create next.

If your module already has a component that can trigger the Plug-In, you can skip this step. For example, if you're using a Plug-In to retrieve the file you want to encrypt, you can use the Plug-In's Post Trigger field to trigger the pluginEncrypt Plug-In.

1.

Drag and drop an Initializer component onto your canvas.

2.

In the Property ID and Canvas Label Text fields, enter initPluginEncrypt.

3.

From the Trigger Type options, select New Submission.

4.

Complete the Outputs table as follows:

5.

Click Save.

Configure the Plug-In Component

This Plug-In runs the GPG Encrypt a File API call. Your Inputs table needs to reference 2 values:

• The Property ID of the component storing the file you want to encrypt. In this case, it's the fileToEncrypt Hidden component. This value maps to the file parameter.

• The Service Name of your Encryption (GPG) service. This value maps to the serviceName parameter.

To configure the Plug-In component:

1.

Drag and drop a Plug-In component onto the canvas.

2.

In the Property ID and Canvas Label Text fields, enter pluginEncrypt.

3.

From the Internal Services drop-down, select GPG Encrypt a File.

4.

Set the Make a Multipart API call toggle to ON.

5.

In the Alternative Multipart Sub-Type (Services) field, enter form-data.

6.

Complete the Inputs table as follows:

7.

Under the Actions tab, in the Post Trigger field, enter fsSendEncrypted.

8.

Click the Advanced Settings tab.

9.

Set the Expect Binary Response toggle to ON.

10.

Click Save.

Configure the File Storage Component

Finally, let's send the encrypted file using a File Storage component.

1.

Drag and drop a File Storage component onto the canvas.

2.

In the Property Name and Canvas Label Text fields, enter fsSendEncrypted.

3.

Select PUT as the Method.

4.

Complete the Outbound table as follows:

5.

Click Save.

Now the GPG encryption is ready to encrypt files in Unqork.

Best Practices

• For most occasions, use the SFTP File Storage Type. The FTP (File Transfer Protocol) File Storage Type is only for legacy systems that do not support SFTP.

• Enable “Server-side Execution Only” for services used by the File Storage component.

Resources

• How to: Setup GPG Decryption for Files

• Server-Side Module Execution

• Secure File Transfer Protocol (SFTP) Authentication

• Security Best Practices for Sensitive Data