Overview - PGP Encryption Process
PGP (Pretty Good Privacy) is a security program that can be used to encrypt sensitive files. MoEngage supports PGP encryption in File Imports (S3 Import, SFTP Import). This article would help elaborate on how you can use PGP encryption for your sensitive files if you wish to use encryption.
Requisites
- PGP key pair - A PGP key pair consists of a Public key and a Private key. The Public key is used to encrypt the file, and the private key is used to decrypt the file. The private key should not be shared with anyone as it will be used to decrypt the sensitive information in the file. Notably, this Private key plays a pivotal role in the SFTP (SSH File Transfer Protocol) integration process with MoEngage, serving as the input.
- A signing key pair consists of a Public key and a Private key. The Public key is used to sign the file and is taken as input in MoEngage SFTP integration. Internally, the private key is used to verify the signature.
Steps to Use PGP Key Pair
The following steps describe how to use PGP encryption through GnuPG, a free implementation of the PGP standard.
Step 1: Generate a standard key pair (public and private)
You can generate the PGP key pair using a PGP tool like GnuPG. If you are generating the key pair, follow the example below. If MoEngage is generating the key pair for you, skip to steps 1 and 2.
(env) ubuntu@ip-10-66-67-30:~$ gpg --full-generate-key
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072)
Requested keysize is 3072 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Moengage
Email address: secops@moengage.com
Comment:
You selected this USER-ID:
"Moengage <secops@moengage.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 625A24E04B26F243 marked as ultimately trusted
gpg: revocation certificate stored as '/home/ubuntu/.gnupg/openpgp-revocs.d/F4CDDF1A7B223A63BF90787E625A24E04B26F243.rev'
public and secret key created and signed.
pub rsa3072 2023-01-18 [SC]
F4CDDF1A7B223A63BF90787E625A24E04B26F243
uid Moengage <secops@moengage.com>
sub rsa3072 2023-01-18 [E]
</secops@moengage.com></secops@moengage.com>
Step 2: Generate a Public Key and Encrypt the Files
If MoEngage generates the public key, they will share it with you. Conversely, if you generate it, you should encrypt the file using this public key and upload the encrypted files to the S3/SFTP folder.
gpg --import <public-key.pgp>
gpg --encrypt --sign --armor -r secops@moengage.com <File-name>
The --sign option is used to encrypt the file by signing the file.
Step 3: Add the keys in the MoEngage Dashboard
If you generate the keys, the procedure is to input the private key into the decryption key segment on the MoEngage dashboard and fill the key passphrase section with the passphrase. On the other hand, if the keys are generated by MoEngage, ensure Is your file encrypted? checkbox is selected during the first step of Data Imports. For more information, refer to Adding your S3 Credentials (S3 Imports) and Adding your S3 Credentials (SFTP Imports) sections.
Step 4: Decrypt a File
To decrypt an encrypted file, you'll need two essential elements: your private key and the corresponding passphrase you established while creating the key pair. In the PGP software, navigate to and select the desired encrypted file, then key in your passphrase. The software will proceed to decrypt your file, generating an unencrypted rendition of the original document.
For Python users, consider the python-gnupg package, a Pythonic wrapper for the gpg command.
import gnupg
import os
# intialising
gpg = gnupg.GPG(gnupghome=os.path.expanduser( '~' ))
gpg.encoding = 'utf-8'
# importing the private key to the server where we are going to decrypt the file
key_data = ""
import_result = gpg.import_keys(key_data)
gpg.trust_keys(import_result.fingerprints, "TRUST_ULTIMATE")
#
encrypted_file_path = "/path/to/encrypted/file"
with open(encrypted_file_path, 'rb') as file:
status=gpg.decrypt_file(file, passphrase="", output="/path/where we want to store the decrypted file")
print(status.ok)
print(status.stderr)
Step 5: Verify the File's Signature [Optional Step]
If a signing key has been used to sign your file, proceed to copy the public key and signing key pair into the respective section on MoEngage dashboard. MoEngage will then verify the file placed in the S3/SFTP folder for a signature match, as shown below.
if status.signature_id: # if signature verified then it has value else None
print("signature verified")
else:
print("Not")