Why use OpenPGP?
Organizations must protect sensitive data, both when it is at rest—whether on-premises or in the cloud—and when it is in use. This is especially true when files containing sensitive data are being transferred from one location to another. Encryption keeps data safe in both instances by rendering it unreadable to anyone who might intercept it, or otherwise gain access to it.
OpenPGP is the file encryption used by Coviant Software to protect your sensitive files. OpenPGP is the standardized and fully compatible implementation of commercial PGPTM software, a widely adopted standard proven to be excellent at keeping data safe. The secure file transfer protocol (SFTP) keeps data safe on the wire when it is transferred between endpoints, preventing malicious actors from eavesdropping on or modifying the data in transit. Diplomat MFT secure managed file transfer software combines both OpenPGP and SFTP to keep data safe in motion and at rest.
What is the difference between OpenPGP and PGP™?
Often, when you hear someone say PGP™ they are referring to OpenPGP, as the two terms are typically used interchangeably. The only real difference is that PGP is a trademarked term, while OpenPGP is the standard which PGP implements (as does Diplomat MFT). Don’t be confused or intimidated. If you need to “do PGP,” Diplomat MFT automates the process, making it easy.
What is Open PGP?
OpenPGP is a technology standard, defined by RFC 4880, that provides strong cryptography for content encryption and digital signatures. OpenPGP is a widely adopted standard for protecting sensitive information exchanged between parties, and for verifying the sender of those files. A file encrypted using OpenPGP is protected by strong cryptography and hash functions to verify that the contents are not changed during transmission or at rest. Diplomat MFT is an easy-to-use OpenPGP encryption solution for protecting files as a part of a data security management and compliance program.
How do companies use Open PGP?
Many companies use OpenPGP to protect the sensitive data that is transferred between systems. Data such as payment card information, banking data, personally identifiable information, patient health care records, inter-company payments, intellectual property, and other sensitive information must be stored and transferred with strong cryptography to avoid financial or reputational penalties for data loss during data storage or transmission. Automated PGP encryption tools like Diplomat MFT make it easy to implement PGP encryption.
What is SFTP?
SFTP is a file transfer technology based upon the SSH standard. SFTP is widely adopted across virtually every platform imaginable. It supports strong authentication with passwords and cryptographic keys (called “SSH Keys”), ensuring that the identities of both client and server are verified for a file transfer. SFTP provides strong encryption and integrity checking to ensure that transferred data is secure in transit, and arrives untampered at its destination.
Is PGP software?
PGP is not encryption software, but a protocol using standard algorithms to encrypt files to ensure they are visible only to intended recipients. PGP is often used to ensure the confidentiality of data at rest (on a disk). PGP can also be used to sign files so the recipient can verify the sender. The standard is implemented by software in various PGP tools, and integrated into products built to keep data secure, such as Diplomat MFT.
See “What algorithm does PGP use” in this FAQ for more information.
How do companies manage Open PGP and SFTP File Transfer Workflows?
Often, Open PGP and SFTP workflows are handled with home-grown scripts or batch files sprawled across the organization. Operation is fragile, maintenance is hard, and errors are common – and difficult to handle. Scaling is impossible because these ad-hoc mechanisms were never designed for growth, and lack necessary Enterprise-grade features. Managing the security is a daunting task, as cryptographic algorithms become obsolete and tools need to be updated.
If you need to encrypt or decrypt sensitive files using PGP, and transfer those files to internal systems or external partners, customers, or clients, then Diplomat Managed File Transfer will save you time, reduce human errors, and provide full auditing and alerting of those file transfers.
Rather than developing and maintaining fragile scripts to handle Open PGP encryptions, manage keys, and transfer files via SFTP, you can make a low-cost investment in Diplomat MFT in order to simply, and centralize your OpenPGP and SFTP business workflows.
Coviant Diplomat MFT has saved countless hours of productivity for hundreds of customers, handling thousands of file transfers across the globe every hour. You can trust Coviant to automate your Open PGP and SFTP business workflows!
Case Study: Allegheny Energy, Inc.
Allegheny Energy is an electric utility headquartered near Pittsburgh, Pennsylvania, with
over $3 billion in annual revenues and more than 4,000 employees. It owns and operates
generating facilities with almost 10,000 megawatts of generating capacity and delivers
electric service to approximately 1.5 million customers in Pennsylvania, West Virginia,
Maryland, and Virginia.
CONTACT US TODAY
PGP Encryption & Automation Commonly Asked Questions
How does PGP work?
PGP works through the clever application of two different cryptographic techniques: public key and symmetric key cryptography. Public Key cryptography is used to strongly identify a party (person or machine) using PGP. Public Key cryptography comprises two aspects of a single key: the private portion, which is used to decrypt files encrypted with the public half of that key pair and/or to digitally sign a file, and a public portion which is distributed to anyone who wishes to encrypt data or verify the signature of the public half of that key pair.
Cryptography for public keys is slow, so it is used to encrypt the symmetric key. The symmetric key is what encrypts or decrypts the contents of the PGP payload. Because the symmetric key is encrypted by the public key of a given party, only the intended recipient can unlock the symmetric key and read the data. Symmetric key cryptography is much faster than public key cryptography, so the combination of the two makes for a very secure yet very efficient mechanism for securing and validating file data.
Can PGP encryption be cracked?
PGP offers encryption using unlimited key lengths for key exchanges and ciphers, with most systems limiting those to 4096 and 256 bits, respectively. Even with the fastest computers, it would take trillions of years to crack the code on a 256-bit encryption key.
What is the difference between PGP and GPG?
GPG is short for “GnuPG,” an open source implementation of the PGP protocol that provides a command line interface to perform PGP encryption, decryption, signing, verifying, and key management operations.
What algorithm does PGP use?
The OpenPGP standard lists multiple algorithms for public key algorithms, including RSA, Elgamal, and DSA.
The OpenPGP standard lists multiple algorithms for symmetric data encryption, including 3DES, IDEA, CAST5, BlowFish, TwoFish, AES (128,192, and 256-bit), and Camellia (128, 192, and 256-bit).
The OpenPGP standard lists multiple algorithms for hashes on the data (which are used for integrity checking and signatures), including MD5, SHA-1, RIPE-MD/160, and SHA2 (224, 256, 384, and 512-bit).
The OpenPGP standard lists multiple algorithms for data compression, including ZIP, ZLIP, and BZIP2.
It is important to note that only a few of these algorithms–DSA and Elgamal; 3DES; and SHA-1–are required to be implemented by the OpenPGP Standard. However, this minimal requirement is regarded as insecure because algorithms like 3DES and SHA-1 are considered “broken.” Fortunately, many PGP implementations, such as Diplomat MFT, support all the algorithms of the OpenPGP standard public key algorithms (and a few additional ones, like Elliptic Curve). Diplomat MFT is one such software that supports modern, secure algorithms in its PGP library.
Is PGP software?
OpenPGP is not the encryption software itself. It is the technology standard for encrypting content to ensure it is visible only to intended recipients. PGP is often used to ensure the confidentiality of data at rest (stored on a disk). PGP can also be used to sign files so the recipient can verify the sender. The standard is implemented by software in various PGP tools, and integrated into solutions built to keep data secure, such as Diplomat MFT.
See “What algorithm does PGP use” in this FAQ for more information.
How do you automate PGP encryption and decryption?
PGP encryption is often handled by complex command line applications, which can be confusing and hard to remember, resulting in complex and fragile scripted solutions. As a part of the secure managed file transfer process, Diplomat MFT serves as a simple PGP encryption solution that enables automated no-code encryption, decryption, signing, and verification with an intuitive interface.
Open-source PGP encryption tools like GnuPG (GPG) can be effective, but the reliance upon scripting–and the individuals who build and maintain those scripts–introduces fragility that weakens security and increases a company’s risk profile.
How do I set up PGP encryption?
To set up PGP, you need to generate your own Key Pair, which consists of both a public key and private key component. You keep the private key to yourself, while the public key you can deliver to anyone who wishes to send data encrypted for only you. If you wish to encrypt data for a given recipient, such that they are the only ones who can read it, you will need their public key. Diplomat MFT provides an intuitive user interface to create, import, and export PGP keypairs and public keys, combining powerful PGP encryption with simplicity and ease of use.
Can I decrypt PGP with GPG?
GPG can be used to decrypt PGP files because it conforms to the OpenPGP standard. Any message that is encrypted in the OpenPGP format can be decrypted by GPG or any other standard conforming PGP encryption tool. Diplomat MFT’s OpenPGP capabilities allows you to automate various operations like encrypting, decrypting, signing, and verifying.
Is PGP dead?
No! PGP is alive and well, and an excellent choice for applying strong encryption. In fact, PGP is a security requirement for data transfers to and from many banks. Many of Coviant Software’s customers use Diplomat MFT to exchange PGP encrypted files with JP Morgan, Citi, Bank of America, and more.
CASE STUDY: PGP ENCRYPTION / DECRYPTION
- Single solution to handle both encryption/decryption and file transfer
- Ability to handle rising numbers of daily transactions – number of transactions has more than doubled to date
- Ensure files are transferred on time every time
Tedious and inefficient scripting is eliminated using Diplomat MFT’s easy-to-use interface Notification of file transfer or other errors is sent immediately to the appropriate IT team members for action – before a failed transfer becomes a business problem Job failures reduced from 1-2 per day with the manual system to fewer than one a week using Diplomat MFT
Allegheny Energy is an electric utility headquartered near Pittsburgh, Pennsylvania, with over $3 billion in annual revenues and more than 4,000 employees. It owns and operates facilities with almost 10,000 megawatts of generating capacity and delivers electric service to approximately 6 million customers in Pennsylvania, West Virginia, Maryland, and Virginia.
Allegheny Energy transfers sensitive files to business partners including banks, health care institutions, and government regulatory agencies and auditors hundreds of times a day. The security of this data – and the business requirement to ensure that the correct files are transferred on time every time – is paramount to Allegheny’s operations.
As the volume of Allegheny’s file transfers grew along with its expanding business network, the company began seeing higher rates of job failure. Ryan Andrews, senior IT security analyst with the company, decided there had to be a better way.
Andrews described the encryption and transfer of files using Allegheny’s legacy tools as “a predominantly manual and inefficient process. He had to use two separate tools: one for encryption and one for file transfer.
“When we set up file transfer jobs, we wasted programmer time writing scripts to encrypt the files to be transferred,” Andrews said. “When files were transferred, we struggled to identify failed jobs and to re-transmit or otherwise correct the error. And, as the number of transfers grew, things were only getting worse.”
Ryan needed to find a more efficient and reliable way to handle the daily load of file encryptions and transfers between Allegheny and its partners
The initial search for a better approach turned up solutions that were expensive and complex. “We didn’t need all that. We needed a simple but well-designed and effective tool that would encrypt, decrypt, and transfer files, with good email notification and troubleshooting capabilities.”
When a colleague in another firm mentioned Diplomat MFT, Andrews downloaded a trial version. “I knew immediately that I’d found the answer,” he says. “Diplomat MFT could encrypt, decrypt and transfer files. But more than that, it performed these functions using an intuitive interface with exceptional audit reporting, excellent debugging tools, and extensive notification capabilities. Diplomat MFT meant the end to time-consuming scripting, hit-or-miss notification, and frustrating debugging of failed jobs.”
Andrews found that the debugging capabilities of Diplomat MFT were every bit as comprehensive as those in the high-end solutions he had researched. “Diplomat goes way beyond what I expected in an affordable product. The log viewer lets me look at information involving a specific transaction, or by specific errors, or by a search phrase.”
New Diplomat MFT features such as secure FTP (SFTP and FTPS) have added to the product’s value. “Secure transfer ups the level of security overall. With regular ftp, login data and files are sent as plaintext – both could be intercepted and looked at, and that is why we encrypt files. Secure file transfer goes one step farther by protecting the login data, as well.” Andrews notes.
As a publicly owned utility, Allegheny is highly regulated and scrutinized; audit and compliance reporting is a key requirement for the business. “With Diplomat MFT, we have a full audit trail to show the transmission and receipt of files. And transfer errors, unavoidable in any system, are quickly dealt with – before they become business problems.”
Andrews has used Diplomat MFT’s extensive and easy-to-implement notification functions to create groups of users to be notified by pager, email, or both. “I can include log files with the notification to people who will review the code and find the cause, and for other groups, such as managers, I can provide summary notification.”
Client Feedback & Testimonial
Andrews found Diplomat MFT easy to install and became productive with it immediately. And as he began using more of its features, such as advanced debug capabilities and comprehensive notification, productivity increased. “I am impressed by everything it does.”
As the universe of business partners expands for Allegheny, as for most enterprises today, Andrews has found that using Diplomat can enhance Allegheny’s business relationships. “In fact, most people I talk to about Diplomat MFT are thrilled that they can receive immediate email notification when a file transfer is completed. There isn’t any other IT file solution that I recommend as highly or as often as I recommend Diplomat.”
“Diplomat MFT enabled us to take two time-consuming and inefficient processes – encrypting and setting up file transfers – and make them one single, automated process that supports Allegheny’s business requirements.”
—Ryan Andrews, Senior IT Security Analyst, Allegheny Energy