GNU Privacy Guard (GPG)

GPG software is used to encrypt and decrypt data using a public and private key.

The GPG encrypted data is first optionally compressed, encrypted with a one-time generated session key, and this session key is then encrypted with the public key. The extracted data from execution of RuleSet can be transformed using the GPG method in the Transform action.

From the DSG Web UI, in the Operation field, you can either select Encrypt or Decrypt operation. The options for each operation vary based on the selection. The DSG appliance is compatible with GPG v2.2. Refer to the GPG documentation at https://www.gnupg.org/faq/gnupg-faq.html

Importing keys

Run the following steps to import public and private keys generated outside DSG.

To import keys:

  1. Upload the public key from the ESA Web UI. Navigate to Cloud Gateway > 3.3.0.0 {build number} > Transport > Certificate/Key Material.

    The Certificate/Key Material screen appears.

    1. On the Certificate/Key Material screen, click Upload.

    2. Click Choose File and select the public key to be uploaded.

  2. Upload the private key to ESA using an FTP tool.

  3. On the DSG CLI Manager, navigate to the /opt/protegrity/alliance/3.3.0.0.<build number>-1/config/resources/ directory. Verify that the private key and public key are available in this directory.

  4. Run the following command. docker ps A list of all the available docker images is displayed. For example

    CONTAINER ID   IMAGE   COMMAND    CREATED        STATUS          PORTS     NAMES
    28791aa86a02   gpg-agent:3.3.0.0.51    "gpg-agent --server …"   15 hours ago   Up 25 minutes             gpg-agent-3.3.0.0.51-1
    
  5. Under the NAMES column, note the name of the image corresponding to the gpg-agent:3.3.0.0<build number>.

  6. Run the following command to import the public key.

    docker exec -it <Name of the GPG container> gpg --homedir /opt/protegrity/alliance/config/resources --import /opt/protegrity/alliance/config/resources/<public_key_file_name>
    

    For example,

    docker exec -it gpg-agent-3.3.0.0.51-1 gpg --homedir /opt/protegrity/alliance/config/resources --import /opt/protegrity/alliance/config/resources/test.gpg
    
  7. Import the private key by running the following command:

    docker exec -it <Name of the GPG container> gpg --homedir /opt/protegrity/alliance/config/resources --allow-secret-key-import --pinentry-mode loopback --import /opt/protegrity/alliance/config/resources/<private_key_file_name>
    

    For example,

    docker exec -it gpg-agent-3.3.0.0.51-1 gpg --homedir /opt/protegrity/alliance/config/resources --allow-secret-key-import --pinentry-mode loopback --import /opt/protegrity/alliance/config/resources/secret.gpg
    
  8. Trust the imported keys as ultimate keys by running the following command:

    docker exec -it <Name of the GPG container> gpg --homedir /opt/protegrity/alliance/config/resources --edit-key <Name>
    

For example,

```
docker exec -it gpg-agent-3.3.0.0.51-1 gpg --homedir /opt/protegrity/alliance/config/resources --edit-key test.user@sample.com
gpg> trust
#enter 5<RETURN>
#enter y<RETURN>
gpg> quit
```

Generating GPG keys

Steps to generate the GPG keys on ESA.

  1. Login to ESA CLI Manager.

  2. Run the following command to generate the key.

    docker exec -it <Name of GPG container> --homedir /opt/protegrity/alliance/config/resources/ --pinentry-mode=loopback --full-generate-key
    

    For example,

    docker exec -it gpg-agent-3.3.0.0.51-1 gpg --homedir /opt/protegrity/alliance/config/resources/ --pinentry-mode=loopback --full-generate-key
    
  3. Select the type of key that you want to generate from the following options.

    • (1) RSA and RSA (default)
    • (2) DSA and Elgamal
    • (3) DSA (sign only)
    • (4) RSA (sign only)
  4. Enter the keysize for the key. The keysize can range between 1024 to 4096.

  5. Select the validity of the key from the following options.

    • 0 = key does not expire
    • <n> = key expires in n days
    • <n>w = key expires in n weeks
    • <n>m = key expires in n months
    • <n>y = key expires in n years
  6. Enter the real name that identifies the key.

  7. Enter the email address for the key.

  8. Enter a comment for the key. The public key in GPG includes a key and user ID information that identifies the key with the user ID.

  9. Select (O) to confirm the user ID details.

  10. Press Enter or provide a passphrase. The passphrase is used during decryption.

  11. Run the following command to verify the key is generated.

    docker exec -it <Name of the container> gpg --homedir /opt/protegrity/alliance/config/resources/ --list-keys
    

    For example,

    docker exec -it gpg-agent-3.3.0.0.51-1 gpg --homedir /opt/protegrity/alliance/config/resources/ --list-keys
    

The gpg directory must include the following files after you generate a GPG key successfully:

  • pubring.gpg
  • secring.gpg
  • trustdb.gpg
  • random_seed
  • s.gpg-agent
  • s.gpg-agent.ssh
  • s.gpg-agent.extra
  • s.gpg-agent.browser
  • private-keys-v1.d
  • openpgp-revocs.d

Encrypt operation

The encrypt operation transform rule related options for GPG rule implementation are listed in this section.

The following table describes the fields for Encrypt operation in the GNU Privacy Guard method.

FieldDescriptionRestrictions (if any)
Recipient NameEncrypt data for the user provided. Recipient name is defined when the public key is generated. You can either provide the email id or the key id. 
ASCII Armor*Enable to generate ASCII format output. This option can be used when the output data needs to be created in a format that can be safely sent via email or be printed. 
Custom ArgumentsProvide additional arguments that you want to pass to the GPG command line apart from the given arguments. Ensure that the syntax is correct.Provide additional arguments that you want to pass to the GPG command line apart from the given arguments. Ensure that the syntax is correct.
  • "–armor"
  • "–recipient"
  • "–decrypt"
  • "–homedir"
  • "–passphrase"
  • "–batch"
  • "–no-tty"
  • "–no-auto-check-trustdb"
  • "–no-permission-warning"
  • "–encrypt"
  • "–pinentry-mode loopback"

Decrypt operation

The decrypt operation transform rule-related options for the GNU Privacy Guard (GPG) rule implementation are listed in this section.

The following table describes the fields for the Decrypt operation in the GPG method.

FieldDescriptionNotes
PassphraseProvide the private key passphrase as a string or name of the file placed in /config/resources directory that contains the passphrase. A null value means that the private key is not passphrase protected.
  • When you click the (view) icon, an encrypted password is displayed.
  • If an older ruleset configuration .zip created using any older DSG version, that includes a GPG ruleset with key passphrase defined, is imported, then the DSG does not encrypt the key passphrase.
DelimiterRegular Expression used to delimit stream. Rules will be invoked on delimited streams.
Custom ArgumentsProvide additional arguments that you want to pass to the GPG command line apart from the given arguments. Ensure that the syntax is accurate.