How to encrypt and decrypt files using GPG for files

Dear all,

While pushing your files for processing, you keep your data in form of files. But what if the data you are storing is sensitive. How can you protect that from unauthorized access? One of the ways is encrypting the files using GPG. In this blog, I’ll tell you what GPG is and how you can use it to encrypt and decrypt files when sending it fo sFTP Commissions dropbox for files to process…

What are GPG keys

GPG stands for GNU Privacy Guard. It uses the concept of Asymmetric encryption. Let’s see how asymmetric encryption works and how is it different from Symmetric encryption which we generally use.

In Symmetric encryption, there is only one key, generally known as password, which we use to encrypt/decrypt the files. Now the problem here is, how will you share the same password over the network to the sender/receiver. This problem is solved in Asymmetric Encryption. Le’s see how.

In Asymmetric encryption, there is a pair of keys, one public and one private. The owner can share the public key with anyone whosoever wants to send the files in an encrypted format. That encrypted file is then sent back to the owner and that can only be decrypted by the corresponding private key.

GPG Use Cases

  • Encryption: Used to encrypt files. We can some content to someone and you don’t want anyone in the middle to read it.
  • Signing Commits: Helpful for proving your identity. For eg, you can use this GPG key to sign your commits in Github, to basically verify that you’re the one actually done it.
  • Encrypting Passwords: Very helpful if you use a command line password utility like a password manager called pass. It uses your GPG keys to handle the encryption for all your secrets you want to store in that password manager.

Install GPG

For Windows

https://gnupg.org/download/index.html

For Ubuntu/any Debian based distributions

sudo apt install gnupg

For CentOS/ RHEL based distributions

sudo yum install gnupg

Verify Installation

gpg --version

List all GPG public keys

gpg --list-keys

List all GPG private key pairs

gpg --list-secret-keys

Export Public Key in ASCII Format

## Output to STDOUT
gpg --armor --export <email-Id> ## Output to a file
gpg --armor --export --output <file.txt> <email-Id>

Encrypt a file for a specific user using GPG (Using Asymmetric Encryption)

gpg --encrypt --recipient <recipient-user-email> <file-name>

Encrypt a file using GPG (Uses Symmetric Encryption)

gpg --symmetric <file-name> ## It will prompt for a password

Decrypt that encrypted file (For Both, Symmetric and Asymmetric Encryption)

gpg --decrypt <encrypted-file>

Let’s Understand SAP Commissions Customer & Support Process for Setup

Customers can compress their data using gzip and submit it to the dropbox to save bandwidth. Also customers can now encrypt their data after you installed GPG from above steps. In this case the filename will end with .gpg. (Officially support team considers only gpg format)

Note GNU’s implementation of GPG by default automatically compresses the file

Inbound & Outbound File Encryption/Decryption

If customer sends a file in an encrypted (inbound) file (gpg), customers will need an encryption public key from SAP Commissions Technical Support team – (formely called Callidus). Customers have to open a case to request the Callidus Public encryption key for inbound files.

For outbound files sent to the customer by Callidus, the customer needs to provide their public key to Callidus for encryption.

SAP Commissions Support team wil find out if your tenant is configured with list of keys :
To find a list of keys on the app server, you may use the following command:

gpg –list-keys


The dropbox is an SFTP site. It is used by the customer to upload files for processing by ODI/CDL.

The authentication for the dropbox is always private key. Customers will submit their public key to in a support ticket to get access.

  • manual – This is the most commonly used folder that customers use to upload files to the dropbox. It automatically generates audit files (more on this later) for each file.
  • inbound – This directory is like the manual directory, but requires customers to drop their audit files along with their data files.
  • outbound – Some customers have custom data extracts. The extracts are available for pickup from the outbound directory.
  • badfiles – Any files that produce an ODI/CDL-ERROR email will be found here.



This process is applicable for both customers on Oracle & HANA.
Oracle uses ODI and HANA uses CDL for files to process

Encryption/ Decription Process FLow