How to: Set Up GPG Encryption for Files

  • Updated on Jan 20, 2026
  • Published on Sep 25, 2025
  • 8 minute(s) read
Prev Next

GPG (GNU Privacy Guard) provides an additional layer of security for files transferred using SFTP (Secure File Transfer Protocol). By using GPG encryption, you ensure that sensitive data remains encrypted while at REST on the SFTP server. Meaning, it’s only accessible to parties using the corresponding private key.

Setting up GPG encryption in Unqork involves a three-step process:

  1. Configure an Encryption (GPG) Service: Create a GPG Encryption service in Services Administration.

  2. Enable Server-Side Execute: Set up a module to execute its data server-side.

  3. Execute via Plug-In: Use a Plug-in component to encrypt specific files using the parameters defined in your GPG service.

Discover how to decrypt files in our How to: Set Up GPG Decryption for Files article.

Preconfiguration

Before configuring the module, set up the encryption service to connect with the party receiving and decrypting the files.

Set Up the Encryption (GPG) Service

First, set up an Encryption (GPG) service in Services Administration.

You must have the public key from the party that's receiving and decrypting the files. They'll have to set up the public/private GPG keypair.

  1. At the top right of the Unqork Designer Platform, click Administration.

  2. Under Integration, select Services Administration.

  3. Click + Add a Service.

  4. In the Service Title* field, enter a title for your service. For example, GPG Encryption.

  5. In the Service Name* field, enter a name for your service. For example, GPG-encryption.

    The Service Name value is final once created. You can update the Service Title value anytime.

  6. In the Service protocol + host* field, enter a temporary value. You’ll delete this value in a later step.

  7. Click Next.

  8. In the Share To* field, specify which workspaces to make this service available.

  9. Click Create. The Service page displays.

  10. From the menu to the left, select Service-Type.

  11. From the Service Type drop-down, select Encryption.

  12. In the Service Protocol + Host field, delete the temporary value.

  13. Set the Authentication Method to Encryption (GPG).

  14. In the GPG Public Key (Armored) field, enter the public key.

    The public key must be provided by the service you’re integrating with. A sample key is not available.

    GPG Encrypt service configuration showing encryption method and public key block details.

  15. Click Save Changes.

After enabling the GPG Encryption service, return to the Module Builder.

Configure the GPG Module

Learn how to set up the GPG module be selecting the tab that corresponds to your Unqork Designer experience:

Enable Server-Side Execution Only

For security purposes, modules calling a GPG service must execute server-side only. While API modules always execute server-side, your requirements might use a Front-End or Other module type to contain the Plug-In component that calls the GPG service.

From the Module Builder page:

  1. Click the ellipsisButtonDummy.jpg (ellipsis) button.

  2. Click Module Settings. The Settings modal displays.

  3. Click Module Settings.

  4. Set the Server Side Execution Only toggle to A toggle switch icon indicating an on state for user interface settings. (ON).

    Settings menu showing options for module execution and user permissions configuration.

  5. Click Save & Close.

Configure the Encryption Module

Set up the module that will encrypt the file, then send it using SFTP.

Files encrypted using the Encryption (GPG) internal service must be in binary form, not Base64. If using a Plug-In component to retrieve your file to encrypt, ensure you set Expect Binary Response to A toggle switch icon indicating an on state for user interface settings. (ON).

Configure the fileToEncrypt Hidden Component

Configure a Hidden component to store the file that you want to encrypt. This configuration does not include steps for passing a value to this Hidden component. When applying these steps to your use case, remember to pass the file you want to encrypt into this Hidden component.

  1. Drag and drop a Hidden component onto your canvas.

  2. In the Property ID and Label Text fields, enter fileToEncrypt.

  3. Click Save Component.

Configure the initPluginEncrypt Initializer Component

Next, set up an Initializer component to trigger the Plug-In component you'll create next.

If your module already has a component that can trigger the Plug-In component, skip this step. For example, if you're using a Plug-In component to retrieve the file you want to encrypt, you can use the Plug-In component's Post Trigger field to trigger the pluginEncrypt Plug-In component.

  1. Drag and drop an Initializer component onto your canvas, placing it below your Hidden component.

  2. In the Property ID and Canvas Label Text fields, enter initPluginEncrypt.

  3. From the Trigger Type drop-down, select New Submission.

  4. In the Outputs table, enter the following:

    Property ID

    Type

    Value

    1

    pluginEncrypt

    trigger

    GO

    Initializer settings for a plugin with inputs and outputs configuration displayed.

  5. Click Save Component.

Configure the pluginEncrypt Plug-In Component

Configure a Plug-In component to the GPG Encrypt a File API call. The Plug-In component’s Inputs table needs to reference two values:

  • The Property ID of the component storing the file you want to encrypt. In this case, it's the fileToEncrypt Hidden component. This value maps to the file parameter.

  • The Service Name of your Encryption (GPG) service. This value maps to the {{serviceName}} parameter.

To configure the Plug-In component:

  1. Drag and drop a Plug-In component onto the canvas, placing it below the initPluginEncrypt Initializer component.

  2. In the Property ID and Canvas Label Text fields, enter pluginEncrypt.

  3. From the Internal Services drop-down, select GPG Encrypt a File.

  4. Set Make a Multipart API Call to A toggle switch icon indicating an on state for user interface settings. (ON).

  5. In the Alternative Multipart Sub-Type (Services) field, enter form-data.

    Configuration settings for Unqork's GPG file encryption service with various options.

  6. In the Inputs table, enter the following:

    Property ID

    Mapping

    1

    fileToEncrypt

    file

    2

    'GPG-encryption'

    {{serviceName}}

    Replace {{serviceName}} with the Service Name you created in the Set Up the Encryption (GPG) Service steps.

  7. Navigate to the Actions settings.

  8. In the Post Trigger field, enter fsSendEncrypted.

    This is the Property ID of the File Storage component you'll set up next.

    Always add single quotes around values in the Property ID column that aren't actually Property IDs in the module. For example, fileToEncrypt references the Hidden component in your module, so it doesn't need single quotes. GPG-encryption, though, is not a Property ID in the module. So, it needs single quotes.

  9. Navigate to the Advanced settings.

  10. Set Expect Binary Response to A toggle switch icon indicating an on state for user interface settings. (ON).

  11. Click Save Component.

Configure the fsSendEncrypted File Storage Component

Lastly, send the encrypted file using a File Storage component.

  1. Drag and drop a File Storage component onto the canvas, placing it below the pluginEncrypt Plug-In component.

  2. In the Property ID and Canvas Label Text fields, enter fsSendEncrypted.

  3. From the Method drop-down, select PUT.

  4. Under Path, in the Property ID field, enter {{'/myfolder/myfile.pgp'}} .

    Replace {{'/myfolder/myfile.pgp’}} with the file path on the file server. Now the GPG encryption is ready to encrypt files in Unqork.

  5. Under File Object, in the Property ID field, enter pluginEncrypt.file .

    File storage settings showing SFTP method, path, and file object details for encryption.

  6. Click Save Component.

  7. Save your module.

Here's how the final configuration looks in the Module Builder:

Components for GPG encryption including file and plugin encryption options displayed.

Enable Server-Side Execution Only

For security purposes, modules calling a GPG service must execute server-side only. While API modules always execute server-side, your requirements might use a Front-End or Other module type to contain the Plug-In component that calls the GPG service.

From the Module Builder page:

  1. On the Module Builder header, click the ellipsisButtonDummy.jpg (ellipsis) button.

  2. Click Settings. The Settings modal displays.

  3. Navigate to the Module Settings tab.

  4. Set Server Side Execution Only to A toggle switch icon indicating an on state for user interface settings. (ON).

    Module settings for server-side execution with various options highlighted for user selection.

  5. Click Save.

Configure the Encryption Module

Set up the module that will encrypt the file, then send it using SFTP.

Files encrypted using the Encryption (GPG) internal service must be in binary form, not Base64. If using a Plug-In component to retrieve your file to encrypt, ensure you set Expect Binary Response to A toggle switch icon indicating an on state for user interface settings. (ON).

Configure the Hidden Component

Configure a Hidden component to store the file that you want to encrypt. This configuration does not include steps for passing a value to this Hidden component. When applying these steps to your use case, remember to pass the file you want to encrypt into this Hidden component.

  1. Drag and drop a Hidden component onto your canvas.

  2. In the Property ID and Label Text fields, enter fileToEncrypt.

  3. Click Save & Close.

Configure the initPluginEncrypt Initializer Component

Next, set up an Initializer component to trigger the Plug-In component you'll create next.

If your module already has a component that can trigger the Plug-In component, skip this step. For example, if you're using a Plug-In component to retrieve the file you want to encrypt, you can use the Plug-In component's Post Trigger field to trigger the pluginEncrypt Plug-In component.

  1. Drag and drop an Initializer component onto your canvas, placing it below your Hidden component.

  2. In the Property ID and Label Text fields, initPluginEncrypt.

  3. Navigate to the Actions section.

  4. From the Trigger Type drop-down, select New Submission.

  5. In the Outputs table, enter the following:

    Property ID

    Type

    Value

    pluginEncrypt

    trigger

    GO

    Configuration settings for a new submission trigger in a plugin initializer interface.

  6. Click Save & Close.

Configure the pluginEncrypt Plug-In Component

Configure a Plug-In component to the GPG Encrypt a File API call. The Plug-In component’s Inputs table needs to reference two values:

  • The Property ID of the component storing the file you want to encrypt. In this case, it's the fileToEncrypt Hidden component. This value maps to the file parameter.

  • The Service Name of your Encryption (GPG) service. This value maps to the {{serviceName}} parameter.

To configure the Plug-In component:

  1. Drag and drop a Plug-In component onto the canvas, placing it below the initPluginEncrypt Initializer component.

  2. In the Property ID and Canvas Label Text fields, enter pluginEncrypt.

  3. From the Internal Services drop-down, select GPG Encrypt a File.

  4. Set Make a Multipart API Call to A toggle switch icon indicating an on state for user interface settings. (ON).

  5. In the Alternative Multipart Sub-Type (Services) field, enter form-data.

  6. In the Inputs table, enter the following:

    Property ID

    Mapping

    fileToEncrypt

    file

    'GPG-encryption'

    {{serviceName}}

  7. In the Post Trigger field, enter fsSendEncrypted.

    This is the Property ID of the File Storage component you'll set up next.

    Always add single quotes around values in the Property ID column that are not actually Property IDs in the module. For example, fileToEncrypt references the Hidden component in your module, so it doesn't need single quotes. GPG-encryption, though, is not a Property ID in the module. So, it needs single quotes.

  8. Click the Advanced Settings tab.

  9. Set Expect Binary Response to A toggle switch icon indicating an on state for user interface settings. (ON).

  10. Click Save.

Configure the fsSendEncrypted File Storage Component

Lastly, send the encrypted file using a File Storage component.

  1. Drag and drop a File Storage component onto the canvas, placing it below the pluginEncrypt Plug-In component.

  2. In the Property ID and Canvas Label Text fields, enter fsSendEncrypted.

  3. Set the Method as PUT.

  4. In the Inputs table, enter the following:

    Get From

    Property ID

    Watch

    Required

    Path

    '/myfolder/myfile.pgp'

    (unchecked)

    (checked)

    File Object

    pluginEncrypt.file

    (unchecked)

    (checked)

    '/myfolder/myfile.pgp' is a placeholder value. Be sure to update it with the actual file path on the file server.

    File storage settings showing SFTP and FTP options with highlighted 'Put' method.

  5. Click Save & Close.

  6. Save your module.

Now the GPG encryption is ready to encrypt files in Unqork.

Here's how the final configuration looks in the Module Builder:GPG Encryption settings with various plugin options and file encryption fields displayed.

Best Practices

  • For most occasions, use the SFTP File Storage Type. FTP (File Transfer Protocol) is only for legacy systems that do not support SFTP.

  • Enable Server-Side Execution Only for services used by the File Storage component.

Discover how to decrypt files in our How To: Set Up GPG Decryption for Files article.

Related articles