Townsend Security Data Privacy Blog

Top 5 FAQs About PGP File Encryption Answered

Posted by Victor Oprescu on Feb 19, 2014 12:25:00 PM

Education is what remains after one has forgotten what one has learned in school.

Albert Einstein

Podcast: PGP Encryption on the IBM i One important aspect of our work is supporting our customers and answering their questions. There is a lot to learn, and there are a lot of sources of information, and it can be difficult at times to decide what information to take in and what to let pass by.

Beyond answering their questions about broader topics such as security and compliance, we also end up discussing some very technical issues that they have questions about as well. It’s not usually until after someone begins working with our products that we step in to answer questions about the technical aspects, the nitty gritty, of how a product addresses their security and compliance needs. In this article I will cover in greater technical detail five frequently asked questions about working with PGP encryption, as well as some tips and tricks on how to get the most out of it.

1. I have encrypted a file for my trading partner, and I want to verify it, but when I try to decrypt it, why do I get an error?

If you are encrypting a file for a trading partner you are most likely using their public key. Because a public key can be given out to anybody, it becomes important to prevent just anyone from decrypting it. Thus the file can only be decrypted with your trading partner’s private key, which only they should have. Based on the principles of asymmetric encryption, it is impossible to encrypt and decrypt with the same key.

There is however a way to encrypt the file for both your trading partner and for yourself to decrypt. You can encrypt the file with multiple public keys, in this case your trading partner’s and yours. Our PGPENCRYPT command does this through the use of the ‘Additional user IDs’ parameter, in which you would define a public key for encryption to which you had a matching private key for. That way you would be able to decrypt it using your private key to verify the contents of the file.

2. How do I provide my trading partner with my key?

When you are exporting keys from the keyring there is one important question to ask, will the key be used for encryption or decryption? When you are exchanging files with a trading partner you have to remember that you will be encrypting with their public key and they will be encrypting with your public key. But decryption, again, can only happen with a private key.
So if you need to export a key for encryption it needs to be the public key, if it’s for decryption you should export the key pair.

Our PGPKEYEXP command can accomplish both for you. You would define the key to export with the ‘Export type’ parameter, where *PUBLIC exports the public key and *KEYPAIR exports both the public and private keys in one file. You can verify what was exported by viewing the file. Even though they keys themselves are unreadable the title is. An exported key pair would list the private key first.

It is important to note that under no circumstances should you provide your private key or the entire key pair to your trading partners or vendors. The option to export the key pair is built into the application to allow you to move individual key pairs between your company’s own servers.

3. My trading partner’s key has expired, can I update its expiration date using PGP commands?

There is a way to update the expiration date on a public key, but not one you received from a trading partner. The public key can be updated only if you have the matching private key and the private key’s password. Because your trading partner should not ever share neither their private key nor their password, you cannot update the expiration date on that public key.
You will need to attain the new public key from your trading partner. The good thing is that most trading partners have a system in place that should inform you ahead of time of the impending expiration of their public key and either provide the new key with that notice or provide instructions on how you can obtain it.

4. I have received a key from a trading partner and I have added it to the keyring but I can’t encrypt with it (or I am being asked if I want to trust the key every time I try to encrypt with it), how do I trust it?

When you first import a public key PGP will not ‘trust’ it, since information encrypted with it can’t normally be recovered (see Question 1 for options). When you try to encrypt with it, PGP will error out, although when you are encrypting interactively, it will prompt you. To trust the key you need to do the following 2 steps:

  1. Sign the new key with your private key to validate the key using the PGPKEYSIGN command. Because you are using your private key to do this you will need its password as well.
  2. Then you need to set its trust level using the PGPKEYCHG command. Once you have done this PGP will accept the key for encryption.

5. My trading partner wants me to sign the file. What does signing a file do?

Signing a file is a way that you can help your trading partner make sure the file they received really came from you. You can encrypt and sign a file or just sign it, on the latter the contents of the file remain visible but an encrypted string is added to the bottom containing your signature. A signature can only be created with a private key, so your trading partner can be pretty certain that the file could only have come from you. The signature is verified by PGP by using your public key to decrypt and read that encrypted string. The string is never stored in the clear but it is read and PGP returns a message that it has verified it. This does mean that anyone with your public key can verify your signature, but then again that is what you want. If a file is both encrypted and signed, the signature would be read by your public key and the contents decrypted by your trading partner’s private key. You can define the signing key in our PGPENCRYPT command with the ‘Signing user ID’ parameter and by providing the command with its password. You can also sign a clear text file or an already encrypted file with the PGPSIGN command.

For more information on encrypting data in transit with PGP, download the podcast, “PGP Encryption on the IBM i,” featuring data security expert Patrick Townsend.

PGP encryption on the IBM i

Topics: Encryption, PGP Encryption, IBM i