Skip to Content

PGPEncryption Module: A Simple How to Guide

I am sure many of you must have by now been made aware that SAP has released B2B and SFTP/PGP capabilities for SAP PI. Earlier, we had to depend upon third party vendors for this service but with SAP filling this gap, I strongly believe that PI is now in a better position to be provisioned and a true enterprise service bus.

If you are on PI 7.11, the prerequisite for installing and using these new add ons are SP08. I have been able to get my hands on a PI 7.11 SP08 machine and have successfully tested the PGP module as a start. In this blog, I will explain how to do PGP encryption using the SAP provided standard module PGPEncryption.

For simplicity sakes, I have created a simple scenario as follows;


A Basic Introduction to PGP Encryption:

1. Encryption Only

To do encryption, we will use the public key provided to us by the partner. Along with the public key, we also need to understand what is the encryption algorithm that is expected by the partner. There are various algorithms and the SAP standard module supports the following AES_128, AES_192, AES_256, BLOWFISH, CAST5, DES, 3DES and TWOFISH.

2. Sign and Encrypt

In this case along with the public key provided to us by the partner, we will also need our own private key and its passphrase that we will use to sign the message. We can also along with the encryption algorithm, choose what should be the signing algorithm. Currently the supported algorithms for signing are MD5, RIPEMD160, SHA1, SHA224, SHA256, SHA384 and SHA512.

3. Compression

We can also define the compression that needs to be carried out on the message which will help reduce the message size. This is an optional usage but if used the supported compressions are ZIP, ZLIB and BZIP2

Receiver Communication channel configuration:

In the below communication channel, we will use both Sign and encrypt while sending the message to Receiver.


Note that in the above, we have used the partners public key pubring.pkr for encryption and our private key didikey.skr along with its passphrase for signing the messages. Also we have used ZIP as the compression mode.

By default, the keys can be placed under the path usr/sap/<System ID>/<Instance ID>/sec. But in case you want to use a different path, then use the parameter keyRootPath to define your custom path.

Input file used;


Signed and Encrypted message;


In the next blog, I will show you how we can decrypt this file to a human readable content 🙂

You must be Logged on to comment or reply to a post.
  • Great!!, you have made hands dirty with the new SP feature of PI..

    It will be helpful for newbies if you can share the paths of the keys where it has stored..and also any available tools for generating the keys for playing..



    • updated the blog to include the key file path.

      regarding test tool, there are many tools available online. Just search with the term 'pgp key generator'. The one i have used was already existing in my landscape.

      • Shabarish,

        Good to have this nice blog so soon with usage of PGP modules.Thx

        @Rajesh, I have tested the similar functionality with modules provided by other product vendor - Advantco.

        Keys used for testing has been generated by tool PGP Desktop 10.1.1. Hope it should work fine with this case as well.

      • Hi Bhavesh,

        I have a requirement to implement PGP from Tumbleweed to SAP ECC using SFTP/PGP modules,i have got the public and private keys from Tumbleweed as .txt format.

        As i am following your blog to implement this and noticed that we need Public Keyring(.PKR) and Secure Keyring(.SKR) from Tumbelweed apart from Public Key and Private Keys to be used in the PGG Module parameters.

        When i ask Tumbleweed team to provide me the .PKR and .SKR,they say they can not share them.

        Is there any way we can generate Tumpleweed .PKR and .SKR files to be used for PGP.

        I am able to generate own .PKR and .SKR using PGP Desktop software.

        Pls help me with your expert suggestions on how to go about this.

        Many Thanks,


        • Hi Naga,

               I believe you have your own .PKR and .SKR keys.Inorder to implement the PGP encryption and decryption,Share your Public key(.PKR) with Tumbleweed and Tumbleweed should share their PublicKey(.PKR) with you.

          Ask Tumble weed to share their .PKR key so that you can decrypt the files.But Tumbleweed won't share .SKR as it is private key and cannot be shared with anyone.

          If they are using any Signing of the message then you can use your .SKR in the module as shown above.

          Please let usknow if you have any queries.

        • Hi Naga,

          You can use the public key in the format *.asc this will do.

          you you still need a .pkr (Public Key Ring) and .skr(Secure Key ring) you can get many a tools to generate the key rings like AEDAPTIVe, etc

          Just make sure you just place these keys in the tool and generate the key rings.


  • Thanks for the blog - it really helped !

    We required PGP decryption and were able to use it on 7.1 SP4 even though the prerequisite is SP8. We didn't have to use other  features of the add on and hence can't be sure about them .



  • Hi Shabarish,

                         I am very new to PGP. I

    Got a fair idea of the process. Thank you so much for writing this.



  • Hi Shabarish,

                          Please  keep writing more blogs. If possible I would love to attend some seminars from you.



  • Hi Shabarish,

    Great blog! Thanks for sharing this valuable information with us.

    In the blog you mentioned that currently the following  signing algorithms are (standard) supported: MD5, RIPEMD160, SHA1, SHA224, SHA256, SHA384 and SHA512. However, I cannot see in the screenshots where do you configure it. Could you please further explain that? For instance what steps are needed in order to configure a signing algorithm?

    Many thanks,

    Roberto Viana

  • Hey Shabraish,

    We are trying to implement the new PGPEncyption Module.  We are on PI 7.3


    Service Pack: 05
    Release: NW730EXT_05_REL

    and have followed the standard procedure to instal the add-on.  On executing a basic encyption scenario , we get a JNDI:name not found error for the EJB bean localejbs/PGPEncyption.

    The receiver communication channel is an NFS based channel.

    Did u face this kind of an issue?  if yes please help us with possible solutions.

    Thanks in advance


  • Hi Shabarish,

    Great blog!

    We are trying to implement the new PGPEncyption Module. We are on PI 7.11 and SP08 and have followed the standard procedure to instal the add-on.

    In the File Receiver Adapter we use the new PGPEncyption Module only with the parameters:

    - encryptionAlgo          AES_256

    - partnerPublicKey      pubring.gpg

    But in the communication channel we get the error:

    Error PGP Encryption Module: Could not process message, Internal PGP Error (org.bouncycastle.openpgp.PGPException: Exception creating cipher)

    12.06.2012 11:02:35.990 Error PGP Encryption Module: Could not process message, Internal PGP Error (org.bouncycastle.openpgp.PGPException: Exception creating cipher)

    12.06.2012 11:02:35.990 Error MP: exception caught with message Could not process message, Internal PGP Error (org.bouncycastle.openpgp.PGPException: Exception creating cipher)

    12.06.2012 11:02:35.990 Error Adapter Framework caught exception: Could not process message, Internal PGP Error (org.bouncycastle.openpgp.PGPException: Exception creating cipher)

    12.06.2012 11:02:35.991 Error Delivering the message to the application using connection File_ failed, due to: java.lang.Exception: Could not process message, Internal PGP Error (org.bouncycastle.openpgp.PGPException: Exception creating cipher).

    Can you help us?

    Thanks in advance


  • Hi Shabarish,

    Very nice info regarding the config of SFTP scenario. Keep up the good work!

    We have implemented the same however we have encountered some peculiar issue. The message does not pass through after it is done in the module processor. Below is the log:

    21.06.2012 16:05:30.170     Information     MP: processing local module localejbs/PGPEncryption

    21.06.2012 16:05:30.170     Information     PGP Encryption Module: Message xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx arrived in PGP Module.

    21.06.2012 16:05:30.171     Information     PGP Encryption Module: The module-paramteter "asciiArmored"is not set. Using default value "true"

    21.06.2012 16:05:30.171     Information     PGP Encryption Module: The module-paramteter "format"is not set. Using default value "binary"

    21.06.2012 16:05:30.171     Information     PGP Encryption Module: The module-paramteter "keyRootPath"is not set. Using default value "/usr/sap/XXX/XXXXXXX00/sec"

    21.06.2012 16:05:30.171     Information     PGP Encryption Module: Reading public key at /usr/sap/XXX/XXXXXXX00/sec/rsapubring.pkr

    21.06.2012 16:05:30.194     Information     PGP Encryption Module: The module-paramteter "signingAlgo"is not set. Using default value "SHA1"

    21.06.2012 16:05:30.194     Information     PGP Encryption Module: Reading private key at /usr/sap/XXX/XXXXXXX00/sec/rsaccakey.skr

    21.06.2012 16:05:30.201     Information     PGP Encryption Module: Creating ASCII-Armor

    21.06.2012 16:05:30.201     Information     PGP Encryption Module: Applying compression.

    21.06.2012 16:05:30.201     Information     PGP Encryption Module: Signing

    21.06.2012 16:05:30.201     Information     PGP Encryption Module: Processing

    21.06.2012 16:05:30.666     Information     PGP Encryption Module: Applying encryption

    21.06.2012 16:05:30.681     Information     PGP Encryption Module: Message successfull processed.

    21.06.2012 16:05:30.682     Information     MP: processing local module localejbs/CallSapAdapter

    21.06.2012 16:05:30.682     Information     MP: leaving

    21.06.2012 16:05:30.683     Information     The message was successfully delivered to the application using connection SFTP_

    21.06.2012 16:05:30.689     Information     The message status was set to DLVD.

    Could you help me out on this one thanks.



  • Hi Shabarish,

    do you know of any way to not store the message id in the encrypted file?

    One of our partners doesn't use PI to decrypt the files we send to them encrypted, but uses PGP8 on their servers.

    Whenever i send them an encrypted file (f.e. original file is testfile.csv, encrypted file written to partners sftp server is testfile.csv.pgp) it decrypts to the message-id as filename instead of just substracting the .pgp file extension.

    I think this is very annoying. We tried to set asam to the communication channels, but this didn't work.

    Best regards,

    Peter Hermanns

  • Hello Shabarish,

    Can you please help me regarding below issue.

    I encrypted the file and sent to my vendor. but while decrypting from vendor side and it is gving the below error. Just used 2 modules only applyEncryption/PartnerPublicKey

    PI - 7.31

    pass phrase: event 23: Decryption
    symmetric cipher used: CAST5 event3: error -11391 event2: final Error decrypting file '834_TEST20120914-062150-197.PGP'. Corrupt data.

    badpacket exitcode= 32

    I am using PGP encryption software - GNUPG

    and Vendor is using - E-business server.

    I just found there were some compatiable issues GNUPG vs E-Business server.

    please advice your thoughts.

    Did any one tested with PI 7.31 encryption/decryption with the vendor.



    • SAP note 1695563 specifically says that the module is compatible with the following releases:

      • SAP NetWeaver PI 7.11 Support Package 8
      • SAP NetWeaver PI 7.30 Support Package 5
      • SAP NetWeaver PI 7.31 Support Package 3

      and higher.

      Best regards,


  • Hi Sabarish,

    I am working on your approach as POC. i have few doubts, can you please help me out on these questions

    1)do i need to write adapter module for this approach?

    2)where i will get partners public key pubring.pkr for encryption and our private key didikey.skr  ?

    3) do i need to import those keys in PI trust store in STRUST?

    4) do i use filezilla  as FTP server?

    My PI version is 7.3 SP5.

    Thanks & Regards


    • Dear Pavan,

      1) no, the necessary modules are all provided by SAP as part of the B2B add-on and can be downloaded seperately from the SAP support portal.

      2) your partners public key is sent to you by your partner, your private key you have to create on your own. Please find the documentation on how to create a GPG public/private keypair for your operating system on the net or on the SCN.

      3) no... just put them into the file system as specified in the SFTP/PGP adapter/module documentation.

      4) you can use whatever ftp server you want. 🙂

      Best regards,


    • In a default installation RSA encryption algorithm is not possible. According to the configuration guide the only possible encryption algorithms are:

      AES_128, AES_192, AES_256, Blowfish, CAST5, DES, 3DES and Twofish.

      Best regards,


  • Hi Shabarish,

    I found this article just today, it's a good work.

    I would add just a warning in the blog: being a guide for beginners I would add that some algorithms have long been dead or otherwise unsafe like MD5,  DES definitily unsafe or SHA1, RIPEMD160, CAST5, 3DES that are at risk at least theoretically.

    Kind regards


    • Nice job.

      I also run into this article today and found it pretty useful for my first time working with the PGP addon.

      Thanks to both of you for sharing your knowledge.

      Kind regards,


  • Hi Shabarish,

    Need your help : I want to replicate exact scenario in my System.

    But i didn't get this , Where to get to private and public Key . as I am creating a test scenario . So abt Client Public Key - Can I generate it from Somewhere ?? and our Private key - Do i have to generate it some where in SAP PI System ???

      • Hello Shabarish,

        Although the thread is quite long existed, but still relevant. I present a scenario just as in your blog. And it is the decryption stage where I face problems. I am using the following for encription in the sftp receiver adapter:


        And the sftp sender adapter decryption settings are : po_decry.PNG

        And when I send a file, its encrypted correctly (I decrypt it locally). But the receipient

        can not decrypt the file, the sftp adapter gives the following error:


        I will highly appreciate if you could give me some hints / solution on this


        Ajeet Phadnis

          • Hello Peter,

            Thanks for the prompt reply. The problem is decryption fails, and get the following exception:

            Error while sending message: Cannot send message to module processor PGPDecryption Module:
            Error 6/21/16 11:26:32 AM

            Error: No such algorithm: IDEA/CFB/NoPadding

            I am using AES_128 algol, and still the Decryption module fails.

            While in Sabharish's blog, he has successfully demonstrated

            the decryption stage to work.

            Appreciate your suggestions.

            Ajeet Phadnis

          • Have you encrypted the message? Or your partner? I ask because it makes no sense, beside a proof of concept, to encrypt your message and then decrypt it afterwards with a second interface.

            Just a guessing from my side (in hope that it helps):

            If your partner has encrypted the file please ask him which algorithm he has used, because your error message says that AES_128 wasn't used, but an IDEA algorithm probably used by an OpenPGP implementation.

            The libraries used by the PGP module (bouncycastle) do not support them as far as i know.

            So please ask the one providing you the file which kind of pgp, pgp version and algorithm he is using for encrypting the file.

            If this is sorted out please let him use compatibility modes or algorithms that the SAP PGP module supports.

          • Thanks, Peter

            Yes, its a scenario I am running on my PI instance. Created a sender that encrypts the message (pic 1 in my first query) the file is placed on sftp server directory.

            Then I have created a resipient that picks this encrypted file decrypts it (pic 2 in my first query) and sends to another sftp server location.

            And its this resipient decryption stage that fails (pic 3 in my first query).

            Ajeet Phadnis

          • Ok, so some kind of proof of concept. 🙂
            Did you try to do the same with two key pairs? I.e. generate a second key pair to simulate a receiver/sender different from your system?

  • Hi there

      Below error is occurred when using PGP Module in File adapter with localejbs/PGPEncryption. Kindly advise.

    "java.lang.Exception: Exception in XML Parser (format

    problem?):'org.xml.sax.SAXParseException: Content is not allowed in prolog.'"

  • Dear Vijay,

    Kindly confirm , whether we need to delete the module parameter "localejbs/ModuleProcessorExitBean " .  when we are using this , we are getttig the below exception,could you please guide me.

    "MessagingException: java.lang.NullPointerException: SFTP "



    • Hi All,

      We are getting the following error in the receiver channel.

      nested exception is: java.lang.NullPointerException: while trying to invoke the method of an object loaded from local variable 'msMessage'

      BASIS has confirmed that JCE unlimted has been installed and System was restarted.

      Could you kindly help



      • Hi Guys,

        And unlimited JCE unlimited and the Module sequence solves this.

        Found out the 'CallSapAdapter' was the culprit. Once I removed it, the PGP module worked.



  • Hi,

    We are using PI 7.3 and for B2B requirement we are supposed to send the MT100 message to banks after signing the message using PKCS7 standard algorithm. Can any one explain how this would be achieved?

      • Hi Peter,

        in our case when we try with simple txt file, its happening. ie its converting into encrypted document. But when its CSV file its not happening. same flat file is processing to reciver folder.

        Note: sender is SFSF adapter and reciver is File adapter.


        • File adapter on receiver side is totally ok. Sender adapter doesn't play any role as encryption is only done in the receiver adapter.

          Any hints to errors in the audit log? Are there any hints about the encryption at all in the audit log?
          If not, then recheck your adapter module settings in the receiver channel of your interface.

        • Sree,

          It may be because of the wrong sequence of the modules in Receiver channel. can you create a separate thread and put the screenshot of channel config there.



  • Hi,

    If we are using partnerPublicKey to encrypt the message and send to the third party ,then what is the use of encryptionAlgo parameter in PGP .In some of the cases i see the parameter encryptionAlgo has not been used.