Cloud Integration – How to use PGP Keys Monitor

SAP Cloud Integration PGP Keys Monitor enables you to manage PGP keyrings (secring, pubring). First version of the PGP Keys Monitor was made available with the 2022-04-09 update.

With previous SAP Cloud Integration releases, the PGP Secret Keyring and PGP Public Keyring were managed in the Cloud Integration Monitor section under Manage Security using the Security Material tile. Here, you had the option to upload, download, and delete secret and public keyrings.
SAP Cloud Integration manages only a single secret and a single public keyring which include the corresponding secret and public keys.

PGP Public Keyring (pubring): This artifact contains the public keys that enables the tenant to encrypt or verify messages using the Pretty Good Privacy (PGP) standard.

PGP Secret Keyring (secring): This artifact contains the PGP secret keys (also referred to as private keys) for the usage of Open Pretty Good Privacy (PGP). The private key enables the tenant to decrypt or sign messages.

Please see SAP Help – How OpenPGP Works.

Now, a new PGP Keys Monitor is available on your SAP Cloud Integration tenant. To access it, go to the Monitor section and under Manage Security select the PGP Keys tile:

PGP_Overview_Manage_Security

Overview PGP Keys

The PGP Keys monitor allows you to manage the public and private PGP keys.

PGP_Keys_Overview

A list of public and secret PGP keys is displayed in a table. For each artifact, the following attributes are displayed:

Attribute Description
User ID States the User ID of this PGP key.
Type Indicates whether the entry is a public PGP or a secret PGP key.
Key ID States the key ID.
Validity State Indicates the validity state. The following states are possible:

  • Valid: The PGP key is valid.
  • Critical: The PGP key expires within the next 14 days
  • Expired: The PGP key is no longer valid.
Valid Until Indicates the expiration date.
Modified On Indicates the date and time the entry was last modified.

PGP Keys Monitor: Actions

  • The scope of the first version of the PGP Key Monitor comprises the following features:
    Uploading secret, public keyrings
    Downloading secret, public keyrings

To upload public or secret keys, choose one of the following options:

  • Add –> Public Keys
  • Add –> Secret Keys

PGP_Keys_Add

To download public or secret keys, choose one of the following options:

  • Download –> Public Keys
  • Download –> Secret Keys

PGP_Keys_Download

The following table provides more information on these actions:

Action Description
Add public key or secret keys To upload a secret or public and replace the existing previous secret or public keyring, choose Add
Download To download an artifact, select the artifact in the table and choose Download Public Key or Secret Keys.
Delete

To delete an artifact, go to Monitor –> Manage Security, select the SecurityMaterial tile, select the secret or public keyring in the table, and choose Delete.

See also: Managing Security Material

WARNING: With the current version of the PGP Keys monitor, the action is applied to the entire secret or public keyring. You will replace the entire keyring when adding a new one. Make sure that you keep your external backup. The Add action has the same functionality as the Upload functionality in the previous PGP key management (in the Security Material tile) and replaces the keyrings.

Authorizations

To protect the use of PGP Keys monitor, the following roles are available:

Task Role (Neo) Role-Template (Cloud Foundry)
Add PGP keyring artifacts NodeManager.deploysecuritycontent
NodeManager.deploycontent
SecurityMaterialEdit
Undeploy PGP keyring artifacts NodeManager.deploycontent
NodeManager.deploysecuritycontent
SecurityMaterialEdit
Download PGP keyring artifacts NodeManager.read
NodeManager.readsecuritycontent
SecurityMaterialDownload
Display PGP keyring artifacts NodeManager.read MonitoringDataRead

Planned Iterations: PGP Key Monitor

  1. Upload/Download PGP Keyrings: Operation on entire keyrings (Available: 2022-04-09)
  2. Display Key details: Display secret, public key details
  3. Single Key Operations: Add, Download, Delete single secret, public keys
    Availability of the single key operations would retire the Manage Security Material secret, public key display and delete functionality.

Further Information

SAP Help: Managing PGP Keys
SAP Help: How OpenPGP Works 
SAP Blog: Cloud Integration – Import and Export PGP Secret Key – Change PGP Secret Key Password