While pushing your files for processing, you keep your data in form of files. But what if the data you are storing is sensitive. How can you protect that from unauthorized access? One of the ways is encrypting the files using GPG. In this blog, I’ll tell you what GPG is and how you can use it to encrypt and decrypt files when sending it fo sFTP Commissions dropbox for files to process…
What are GPG keys
GPG stands for GNU Privacy Guard. It uses the concept of Asymmetric encryption. Let’s see how asymmetric encryption works and how is it different from Symmetric encryption which we generally use.
In Symmetric encryption, there is only one key, generally known as password, which we use to encrypt/decrypt the files. Now the problem here is, how will you share the same password over the network to the sender/receiver. This problem is solved in Asymmetric Encryption. Le’s see how.
In Asymmetric encryption, there is a pair of keys, one public and one private. The owner can share the public key with anyone whosoever wants to send the files in an encrypted format. That encrypted file is then sent back to the owner and that can only be decrypted by the corresponding private key.
GPG Use Cases
- Encryption: Used to encrypt files. We can some content to someone and you don’t want anyone in the middle to read it.
- Signing Commits: Helpful for proving your identity. For eg, you can use this GPG key to sign your commits in Github, to basically verify that you’re the one actually done it.
- Encrypting Passwords: Very helpful if you use a command line password utility like a password manager called pass. It uses your GPG keys to handle the encryption for all your secrets you want to store in that password manager.
Install GPG
For Windows
https://gnupg.org/download/index.html
For Ubuntu/any Debian based distributions
sudo apt install gnupg
For CentOS/ RHEL based distributions
sudo yum install gnupg
Verify Installation
gpg --version
List all GPG public keys
gpg --list-keys
List all GPG private key pairs
gpg --list-secret-keys
Export Public Key in ASCII Format
## Output to STDOUT
gpg --armor --export <email-Id>
## Output to a file
gpg --armor --export --output <file.txt> <email-Id>
Encrypt a file for a specific user using GPG (Using Asymmetric Encryption)
gpg --encrypt --recipient <recipient-user-email> <file-name>
Encrypt a file using GPG (Uses Symmetric Encryption)
gpg --symmetric <file-name>
## It will prompt for a password
Decrypt that encrypted file (For Both, Symmetric and Asymmetric Encryption)
gpg --decrypt <encrypted-file>
Let’s Understand SAP Commissions Customer & Support Process for Setup
Customers can compress their data using gzip and submit it to the dropbox to save bandwidth. Also customers can now encrypt their data after you installed GPG from above steps. In this case the filename will end with .gpg. (Officially SAP Commissions considers only gpg format)
Note : GNU’s implementation of GPG by default automatically compresses the file
Inbound & Outbound File Encryption/Decryption
If customer sends a file in an encrypted (inbound) file (gpg), customers will need an encryption public key from SAP Commissions Technical Support team – (formerly called Callidus). Customers have to open a case to request the Callidus Public encryption key for inbound files.
For outbound files sent to the customer by Callidus, the customer needs to provide their public key to Callidus for encryption.
SAP Commissions Support team will find out if your tenant is configured with list of keys :
To find a list of keys on the commissions app server, to review use the following command:
gpg –list-keys
Dropbox
The dropbox is an SFTP site. It is used by the customer to upload files for processing by ODI/CDL.
The authentication for the dropbox is always private key. Customers will submit their public key to in a support ticket to get access.
manual
– This is the most commonly used folder that customers use to upload files to the dropbox. It automatically generates audit files (more on this later) for each file.inbound
– This directory is like the manual directory, but requires customers to drop their audit files along with their data files.outbound
– Some customers have custom data extracts. The extracts are available for pickup from the outbound directory.badfiles
– Any files that produce an ODI/CDL-ERROR email will be found here.
This process is applicable for both customers on Oracle & HANA.
Oracle uses ODI and HANA uses CDL for files to process
Encryption/ Decription Process FLow
More Info about SAP Commissions : Link