The GPG encrypted data is first optionally compressed, encrypted with a one-time generated session key, and this session key is then encrypted with the public key. The extracted data from execution of RuleSet can be transformed using the GPG method in the Transform action.
From the DSG Web UI, in the Operation field, you can either select Encrypt or Decrypt operation. The options for each operation vary based on the selection. The DSG appliance is compatible with GPG v2.2. Refer to the GPG documentation at https://www.gnupg.org/faq/gnupg-faq.html
Run the following steps to import public and private keys generated outside DSG.
To import keys:
Upload the public key from the ESA Web UI. Navigate to Cloud Gateway > 3.3.0.0 {build number} > Transport > Certificate/Key Material.
The Certificate/Key Material screen appears.
On the Certificate/Key Material screen, click Upload.
Click Choose File and select the public key to be uploaded.
Upload the private key to ESA using an FTP tool.
On the DSG CLI Manager, navigate to the /opt/protegrity/alliance/3.3.0.0.<build number>-1/config/resources/
directory. Verify that the private key and public key are available in this directory.
Run the following command.
docker ps
A list of all the available docker images is displayed.
For example
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
28791aa86a02 gpg-agent:3.3.0.0.51 "gpg-agent --server …" 15 hours ago Up 25 minutes gpg-agent-3.3.0.0.51-1
Under the NAMES column, note the name of the image corresponding to the gpg-agent:3.3.0.0<build number>
.
Run the following command to import the public key.
docker exec -it <Name of the GPG container> gpg --homedir /opt/protegrity/alliance/config/resources --import /opt/protegrity/alliance/config/resources/<public_key_file_name>
For example,
docker exec -it gpg-agent-3.3.0.0.51-1 gpg --homedir /opt/protegrity/alliance/config/resources --import /opt/protegrity/alliance/config/resources/test.gpg
Import the private key by running the following command:
docker exec -it <Name of the GPG container> gpg --homedir /opt/protegrity/alliance/config/resources --allow-secret-key-import --pinentry-mode loopback --import /opt/protegrity/alliance/config/resources/<private_key_file_name>
For example,
docker exec -it gpg-agent-3.3.0.0.51-1 gpg --homedir /opt/protegrity/alliance/config/resources --allow-secret-key-import --pinentry-mode loopback --import /opt/protegrity/alliance/config/resources/secret.gpg
Trust the imported keys as ultimate keys by running the following command:
docker exec -it <Name of the GPG container> gpg --homedir /opt/protegrity/alliance/config/resources --edit-key <Name>
For example,
```
docker exec -it gpg-agent-3.3.0.0.51-1 gpg --homedir /opt/protegrity/alliance/config/resources --edit-key test.user@sample.com
gpg> trust
#enter 5<RETURN>
#enter y<RETURN>
gpg> quit
```
Steps to generate the GPG keys on ESA.
Login to ESA CLI Manager.
Run the following command to generate the key.
docker exec -it <Name of GPG container> --homedir /opt/protegrity/alliance/config/resources/ --pinentry-mode=loopback --full-generate-key
For example,
docker exec -it gpg-agent-3.3.0.0.51-1 gpg --homedir /opt/protegrity/alliance/config/resources/ --pinentry-mode=loopback --full-generate-key
Select the type of key that you want to generate from the following options.
Enter the keysize for the key. The keysize can range between 1024 to 4096.
Select the validity of the key from the following options.
Enter the real name that identifies the key.
Enter the email address for the key.
Enter a comment for the key. The public key in GPG includes a key and user ID information that identifies the key with the user ID.
Select (O) to confirm the user ID details.
Press Enter or provide a passphrase. The passphrase is used during decryption.
Run the following command to verify the key is generated.
docker exec -it <Name of the container> gpg --homedir /opt/protegrity/alliance/config/resources/ --list-keys
For example,
docker exec -it gpg-agent-3.3.0.0.51-1 gpg --homedir /opt/protegrity/alliance/config/resources/ --list-keys
The gpg directory must include the following files after you generate a GPG key successfully:
The encrypt operation transform rule related options for GPG rule implementation are listed in this section.
The following table describes the fields for Encrypt operation in the GNU Privacy Guard method.
Field | Description | Restrictions (if any) |
---|---|---|
Recipient Name | Encrypt data for the user provided. Recipient name is defined when the public key is generated. You can either provide the email id or the key id. | |
ASCII Armor* | Enable to generate ASCII format output. This option can be used when the output data needs to be created in a format that can be safely sent via email or be printed. | |
Custom Arguments | Provide additional arguments that you want to pass to the GPG command line apart from the given arguments. Ensure that the syntax is correct. | Provide additional arguments that you want to pass to the GPG command line apart from the given arguments. Ensure that the syntax is correct.
|
The decrypt operation transform rule-related options for the GNU Privacy Guard (GPG) rule implementation are listed in this section.
The following table describes the fields for the Decrypt operation in the GPG method.
Field | Description | Notes |
---|---|---|
Passphrase | Provide the private key passphrase as a string or name of the file placed in /config/resources directory that contains the passphrase. A null value means that the private key is not passphrase protected. |
|
Delimiter | Regular Expression used to delimit stream. Rules will be invoked on delimited streams. | |
Custom Arguments | Provide additional arguments that you want to pass to the GPG command line apart from the given arguments. Ensure that the syntax is accurate. |