by | Sep 8, 2020

How to Use PGP Keys

OpenPGP keys, often referred to as “PGP” keys, are used to encrypt and sign outbound files and to decrypt and verify inbound files.

PGP encryption protects the contents of a file. PGP signatures verify the authenticity of the file’s sender and provides non-repudiation, which prevents the sender from claiming that he or she did not actually send the file.

OpenPGP keys are created as private key pairs, which must be kept secret and never distributed. The public portion of an OpenPGP key pair can be exported to a file to be sent to trading partners. When you establish a relationship with a trading partner, you send each other only OpenPGP public keys.

You can create OpenPGP key pairs and export OpenPGP public keys to send to your trading partner using Diplomat OpenPGP Community Edition, a free PGP automation tool.

When you send an encrypted and signed file to your trading partner, you encrypt the file with your trading partner’s public key and sign it with your private key pair. You can automate jobs to encrypt and sign files to be sent to your trading partners for free using Diplomat OpenPGP Community Edition.
When you receive an encrypted and signed file from your trading partner, you decrypt the file with your private key pair and verify the signature with your trading partner’s OpenPGP public keyDiplomat OpenPGP Community Edition also lets you automate decryption and verification of files that you receive from your trading partners.


PGP Tutorial: Diplomat MFT Makes PGP Easy

Expand for Video Transcript

This video will describe the basics of using PGP Encryption within Diplomat MFT. PGP is an excellent way to keep data secure, both in transit and at rest, and it also helps to verify the sender of data, but it can be a little complex. I think Diplomat MF T helps manage that complexity pretty well. So let’s see how we do that.

Here I have an existing transaction where I am sending HR roster data to a fictitious company called Acme, Inc. Every day I must pick up a file from my network, drive here and deliver it to my trusted partner over SFTP. Here we can see some data that exists at Source, and I want to upload it over SFTP.

For security reasons, I want to use PGP on this very sensitive HR data so that the data is encrypted and therefore protected both in transit and at rest on both ends. To do so, I am going to need to get a PGP key from my partner, Acme Incorporated. They provide me their public key so that I can encrypt the contents of my employee roster using their public key, and they are the only ones who can decrypt that.

My partner has provided me the PGP public key that I can use to transfer encrypted data to them. So now I just need to import it. I will right click and choose import public key. I’ve already copied the key they provided into this path, the default path for PGP keys. I select it and choose which key out of the listed available keys I would like to import.

This looks like it. I will call it the Acme, Inc. Public PGP Key. This is how we refer to it inside Diplomat M F T. Now we can see that it’s been imported over here and it can be used inside our transaction. So let’s go back to our HR roster to Acme, and if we scroll down to the file handling panel, we’ll see that PGP encryption is as simple as checking a box to encrypt the data and choosing from our available keys.

Let’s choose Acme Inc. Public. PGP key and safe. So now we see this transaction is ready to run every day at 11:00 PM but we can go ahead and click run now to see what happens. This transaction will pull from the local network path, find the matching files, transfer to Acme, Inc. After encrypting it with PGP first, and here’s the log.

We can see that it found one file. File from today. It encrypted using the Acme PGP key and it got delivered as a PGP file. And of course we keep an archive around, so you always have a copy of the data flowing through Diplomat MFT. So that’s how simple it is to use PGP inside Diplomat MFT.

PGP vs. OpenPGP: Encryption & Automation Solutions 

OpenPGP is a standard that defines formats for encryption keys and messages.

PGP™ is a trademarked term used by Symantec Corporation for their OpenPGP-compliant products, such as Symantec PGP Command Line.

Many commercial products like McAfee E-Business Server and free products like Diplomat OpenPGP Community Edition comply with the OpenPGP standard.

OpenPGP-compliant products are compatible such that:

  • Keys created by an OpenPGP-compliant application can be imported and used by other OpenPGP-compliant applications. More on how to use PGP keys »
  • Files encrypted or signed by an OpenPGP-compliant application can be decrypted or verified by other OpenPGP-compliant applications.
  • Additional file transformations covered by the OpenPGP standard, such as ASCII-armoring, canonicalization, and compression, are also compatible between OpenPGP-compliant applications.

PGP™ is a standard for encrypting data. Because Coviant Software uses PGP to encrypt the files it sends and receives, we get a lot of questions about it. Here are the most frequently asked questions we get about PGP and their corresponding answers. For more on PGP Encryption, please visit our dedicated page by clicking here>>


FAQs & Explanations

How do you automate PGP encryption and decryption?

PGP encryption is often handled by complex command line applications, which can be confusing and hard to remember, resulting in complex and fragile scripted solutions.  As a part of the secure managed file transfer process, Diplomat MFT serves as a simple PGP encryption solution that enables automated no-code encryption, decryption, signing, and verification with an intuitive interface.

Open-source PGP encryption tools like GnuPG (GPG) can be effective, but the reliance upon scripting–and the individuals who build and maintain those scripts–introduces fragility that weakens security and increases a company’s risk profile.

What is the difference between PGP and GPG?

GPG is short for “GnuPG,” an open source implementation of the PGP protocol that provides a command line interface to perform PGP encryption, decryption, signing, verifying, and key management operations.  

What can I use instead of PGP?

Because OpenPGP is an open, standard format for data encryption, there are many tools out there which can be used to do required PGP operations. Tools like Diplomat MFT make using PGP point-and-click easy, so there’s no need to use more complicated encryption processes.

Can I decrypt PGP with GPG?

GPG can be used to decrypt PGP files because it conforms to the OpenPGP standard.  Any message that is encrypted in the OpenPGP format can be decrypted by GPG or any other standard conforming tool, like Diplomat MFT, which automates the use of proper command line syntax for the various operations like encrypting, decrypting, signing, and verifying.

What algorithm does PGP use?

The OpenPGP standard lists multiple algorithms for public key algorithms, including  RSA, Elgamal, and DSA.

The OpenPGP standard lists multiple algorithms for symmetric data encryption, including 3DES, IDEA, CAST5, BlowFish, TwoFish, AES (128,192, and 256-bit), and Camellia (128, 192, and 256-bit).

The OpenPGP standard lists multiple algorithms for hashes on the data (which are used for integrity checking and signatures), including  MD5, SHA-1, RIPE-MD/160, and SHA2 (224, 256, 384, and 512-bit).

The OpenPGP standard lists multiple algorithms for data compression, including  ZIP, ZLIP, and BZIP2.

It is important to note that only a few of these algorithms–DSA and Elgamal; 3DES; and SHA-1–are required to be implemented by the OpenPGP Standard. However, this minimal requirement is regarded as insecure because algorithms like 3DES and SHA-1 are considered “broken.”  Fortunately, many PGP implementations, such as Diplomat MFT, support all the algorithms of the OpenPGP standard public key algorithms (and a few additional ones, like Elliptic Curve).  Diplomat MFT is one such software that supports modern, secure algorithms in its PGP library.