Skip to Content
Author's profile photo Shabarish V Nair

PGPDecryption Module: A Simple How to Guide

This in continuation of the blog PGPEncryption Module: A Simple How to Guide.

In the earlier blog, we had signed and encrypted a file. In this blog, we will see how we can decrypt that file and read the original content.

High Level Scenario:


Basics of Decryption:

1. Decryption only

In case of decryption, we will need to use our private key and its passphrase. There is no need to exclusively specify the algorithm as it will be automatically detected by the module.

2. Decrypt and Verify

Here along with our private key and passphrase, we need to provide the partners public key for verifying the signature of the sender. There is no need to provide any algorithm information specifically in this case too.

Sender communication channel configuration:


In the above, we have used our private key secring.skr along with its passphrase for decryption and the partners public key didikey.pkr for verifying the sender signature.

Input Message:


Output Message:


End Note:

Even though I have used the file adapter in the blogs, please note that the PGP Modules can be used along with other adapters also. By default, all the keys can be stored on the OS level at the path ‘usr/sap/<System ID>/<Instance ID>/sec‘. But if required, you can store them in a different location and then use the parameter keyRootPath to specify the path in the module configuration. Note that the path and the keys should be accessible by the user <SID>adm.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Hi Shabarish,


      Thanks for two great blogs regarding the possibilities of the PGPEncryption/PGPDecryption. These are two modules, which SAP has neglected for far too long and finally they are here.


      One thing I really don't understand is why SAP cannot make up its mind on where to store certificates. In most configurations in PI the certificates are stored and accessed - in my mind correctly - in the keystore of the JEE and then we see this exception. Why would they choose to store the certificates for such a vital thing as this in the filesystem? It really bugs me that SAP hasn't made an effort in streamlining handling of certificates towards using the keystore.


      Anyways, I was doing a bit of searching for the documentation on how to setup PGP and SFTP, but have not been able to find it. I would appreciate if you could maybe post a link to where SAP is hiding this documentation.


      Best regards,


      Author's profile photo Shabarish V Nair
      Shabarish V Nair
      Blog Post Author


      From what I understand SAP has used the bouncycastle API for developing their module. The api basically does a fileinputstream kind of read of the certificates and that seems to be the reason SAP is not storing it in the keystores but at the OS level

      Also regarding the documentation, i think it is not yet released on the SAP help site. You will have to follow Piyush's blog on the B2B add on availability and follow the SAP notes. As part of the download mentioned in the note, you will find the documentation as a PDF.

      Author's profile photo Former Member
      Former Member

      Hi Shabarish,

      Based on ur's blog i developed decryption module in my ftp 2 file  Interface .i am getting below error pls help me, how to avoid this error's any configuration error or  we need to install any add_on  or  import any java api?

      Error:org.Bouncycastle.openpgp.PGPexception:checksum missmatch at 0 to 20.

      Author's profile photo Former Member
      Former Member

      excellent blog!!!

      Author's profile photo Former Member
      Former Member

      Excellent blog. Thank you Shabarish for your sharing.

      Author's profile photo Former Member
      Former Member

      Excellent blog. One question Shabarish: I have created the sender channel following the instructions and the Private and Secret Key are being referenced from OS level file system properly. However I have a secret key issue where the channel fails because the key is not being found.


      It seems that it's happening due an inconsistant file *.skr.


      Any help will be appreciated.




      Author's profile photo Former Member
      Former Member

      Nice blog.. On similar lines and information point of view.. sekhar.dachepalli's blog:

      Dated as back as Dec 16,2010..

      Author's profile photo Former Member
      Former Member

      Nice blog.


      Is GPG supported by SAP PI for decryption?

      Author's profile photo Former Member
      Former Member

      Hi Vipul,


      SAP PI Supports for decryption.

      Author's profile photo Dheeraj Kumar
      Dheeraj Kumar

      Hi Shabarish,


      I have to do SFTP (.PGP) file to PO to Proxy interface with mapping involved.

      For this first I have to do decryption of .pgp file in sender sftp channel, is this correct? then only I will be able to do mapping, correct me if I am wrong.


      If this is correct then you have mentioned ownPrivatekey in your screenshot, from where I will get value for this. For public key I will ask from sender.



      Dheeraj Kumar

      Author's profile photo Santhoshi M
      Santhoshi M

      HI Dheeraj,


           Yes,In Sender side you have to decrypt the encrypted file and then have to do mapping.


      Regarding Private Key:


      1) You have to generate your Public and Private key by using the tools provided.

      2) Exchange your public keys between you and your partner.

      3) In Module configuration provide your own Private key details.

      Author's profile photo Sidhant Vanshival
      Sidhant Vanshival

      The partner has provided us with the partner key in .txt extension. Can we deploy the key in same extension or we need to change the extension of the public key to .pkr or any other format?

      Author's profile photo Avinash Vaishya
      Avinash Vaishya

      Hi Shabarish,


      Can this decryption be done without the SAP PI module? We are using SAP as a development environment and wanted to decrypt the client file.




      Author's profile photo Pooja Varshney
      Pooja Varshney

      Hi Shabarish,

      I am currently working on a scenario where PI will decrypt an encrypted file(using our public key) without verification of the sender. For this, I am using ownPrivateKey and pwdOwnPrivateKey, these two parameters in PGP Decryption module as suggested in your blog too.

      But I am getting this error: Parameter partnerPublicKey is not set: please check the module configuration. So, could you please let me know whether the signing by the sender is important in decryption process or not, for which we require partners public key? Please find the screenshot for the same.

      I will highly appreciate if you will be respond this query on priority basis.

      Thank you,

      Pooja Varshney