PGP Encryption and Decryption

Encryption and Decryption of Data Using Pretty Good Privacy (PGP) with the SAP PGP Modules

PGP is one of the most commonly-used encryption and decryption mechanism used in data transmission across internal and external systems. SAP PI/PO provides out-of-the-box functionality via Adapter Modules to support PGP— utilized to encrypt or decrypt data as well as sign it. Public keys (safe to share) are used to encrypt messages while private keys (must not be shared) are used to decrypt the messages. 

PGP Modules

1. PGPEncryption Module

The PGPEncryption module functions as the originator of PGP messages. It is used for the following activities:

  • Data Encryption 
  • Payload Signature 
  • Data Compression 

The PGPEncryption module is configured under the ‘modules’ tab in the receiver communication channel. It can be used in every communication channel that supports enhancement via modules (e.g. File, SFTP, JMS, SOAP, etc.)

PGP Encryption Module Configuration

Options for PGPEncryption

Parameter Name

Description

applyEncryption

Set to true if you want to encrypt the outgoing message

applySignature

Set to true if you want to sign the outgoing message

applyCompression

Set to true if you want to compress the outgoing message 

encryptionAlgo

Specify the algorithm to be used for encryption

signingAlgo

Specify the algorithm to be used for signature

asciiArmored

Set to true if you want the message to be ASCII armored

partnerPublicKey

Used to specify the public key of the partner

ownPrivateKey

Used to specify your own private key (never share this key with anyone)

pwdOwnPrivateKey

Password for your own private key (never share this password with anyone)

keyRootPath

Path where PGP keys are stored (if storing keys on PI/PO server)

useSecureStorage

Set to true if you want to use PGP keys stored in B2B integration cockpit


2. PGPDecryption Module

The PGPDecryption module functions as the subscriber of PGP messages. It is used for the following tasks:

  • Data Decryption
  • Signature verification
  • Data Decompression 

The PGPDecryption module is configured under the ‘modules’ tab in sender communication channel. It can be used in every communication channel that supports enhancement via Modules (e.g. File, SFTP, JMS, SOAP, etc.)

PGP Decryption Module

Options for PGPDecryption

Parameter

Description

partnerPublicKey

Used to specify the public key of the partner

ownPrivateKey

Used to specify your own private key (never share this key with anyone)

pwdOwnPrivateKey

Password for your own private key (never share this password with anyone)

keyRootPath

Path where keys are stored (if storing keys on PI/PO server)

useSecureStorage

Set to true if you want to use PGP keys stored in B2B integration cockpit


Managing PGP Modules

The PGP Keys (private as well as public) can either be stored in NetWeaver J2EE server's Secure Store or on the file server where PI/PO is installed. Storing keys in secure store provides better and more secure options as compared to the local file server.

1. Secure Store of NetWeaver J2EE Server (Recommended Approach)

When keys are stored in Secure Store, the encryption and maintenance of keys are done using the B2B Integration Cockpit. It can be accessed via a web browser and provides an excellent user interface to upload/download keys. Currently, you can only import/export PGP keys in Secure Store. It does not provide an option to generate PGP key pairs.

When using this approach, you need to set ‘useSecureStore’ option in the adapter module to ‘true’ to let the system know where the keys are stored. 

B2B Integration

2. Storing Keys on a File Server of SAP PI/PO (Not Recommended)

Even though PI/PO allows keys to be stored on the file server, it is not advisable to do so. Using this approach may keep your keys exposed to anyone who has access to the server. Private keys must be stored in a safe location and must not be shared with anyone. Public keys can be freely shared across systems.  If you decide to store your keys on the file server, you must set ‘useSecureStore’ to ‘false’ and provide the physical location of the key in the adapter module.

Conclusion

By using SAP PGP Adapter Modules, you can successfully encrypt, decrypt, and sign your data. Most of the industry-standard encryption algorithms are supported and depending upon your licensing agreement with SAP, you may be able to download these modules without any additional costs.