Skip to Content

Using PGP in Process Integration



Pretty Good Privacy (PGP) is a data encryption and decryption algorithm that provides cryptographic privacy and authentication for data communication.

With PI 7.11+, PGP is available as part of the SAP NetWeaver Process Orchestration Secure Connectivity Add-On.  PGP is an adapter user-module which can be used with any Java adapters, e.g. File/FTP, JDBC, SOAP, JMS, Mail, RFC, HTTP_AAE, IDoc_AAE, etc.  This add-on also includes the SFTP adapter. 

Both products are available for download from the SAP Service Marketplace without any additional cost. 


Download and Installation


PGP can be downloaded from SMP as part of the Secure Connectivity Add-On.  The download location:

Go to:  SAP Software Download Center

                                 Installations and Upgrades

                                                  Browse our Download Catalog

  1. Select “SAP NetWeaver and complementary products”, and then “PI SFTP PGP ADDON”.
  2. After extracting the downloaded ZIP file, use JSPM to deploy PIB2BPGP00_0.SCA on PI.




The PGP module uses the public key encryption method to secure the content of the business document.  The PGP module allows us to encrypt/decrypt and digitally sign or verify a message.

This method contains two sets of keys; their purpose is described below:


Public Key:  

  • Your public key is used by all your business partners to encrypt a message when sending that message to you.  Therefore, you must send the public key to your partners first. 
  • Your partner’s public key is used to verify the digital signature in the message when you receive that message from your business partner.  Therefore, your partner must send you his public key first.


Private Key:

  • Your private key is used to decrypt a message when receiving it from your partner.  Your business partner will use your public key to encrypt the message.
  • Your private key is used to digitally sign a message when sending it to your business partner.  Your business partner will use your public key to verify the digital signature.


The PGP keys can be generated by publicly-available programs and many web sites can generate them for you, both are available for free.  For your testing purposes, I created the following keys.  Copy-n-paste them to 2 files, e.g. testPGPPublic.txt and testPGPPrivate.txt.  (The 2 files are also attached with this blog.)

While copying, include the BEGIN and END lines.  The password for the private key is “test”.



Version: BCPG C# v1.6.1.0












Version: BCPG C# v1.6.1.0



















User-Module Configuration

Please reference SAP HELP for details:

For this blog, we will be sending the messages to ourselves; therefore, for sending and receiving messages we will use the same public-private keys.

Receiver Communication Channel


The receiver communication channel is used to send a message to your partner.  Consequently, we will use your partner’s public key to encrypt the message, and we can optionally use your own private key to digitally sign the message.


  1. Enter Module Name:  localejbs/PGPEncryption
  2. Enter Module Parameters:
    • For encryption:
      • keyRootPath = <file directory of the private and public keys>
      • partnerPublicKey = <file name of the public key>  (this is your partner’s key)
    • For signing the message:  (optional)
      • applySignature: true  (the default is false)
      • ownPrivateKey: <file name of the private key>  (this is your own private key)
      • pwdOwnPrivateKey:  <password of the private key>  (for this blog, “test”)


Sender Communication Channel


The sender communication channel is used to receive a message from your partner.  Consequently, we will use your own private key to decrypt the message, and we can optionally use your partner’s public key to verify your partner’s digital signature in the message.


  1. Enter Module Name:  localejbs/PGPDecryption
  2. Enter Module Parameters:
    • For decryption:
      • keyRootPath = <file directory of the private and public keys>
      • ownPrivateKey: <file name of the private key>  (this is your own private key)
      • pwdOwnPrivateKey:  <password of the private key>  (for this blog, “test”)
    • For verifying the signature in the message:  (only used if the message is signed by your partner)
      • partnerPublicKey = <file name of the public key> (this is your partner’s key)


You must be Logged on to comment or reply to a post.
  • Hi William,

    This is a neat new feature.

    What i found a bit confusing is that the keys need to be stored on disk of the PI server and not in the NWA truststores (would be a huge simplification as all adapters invoke their certificates from there, too).



    • Hi,

      From my understanding, the PGP certificates are not based on standrads, e.g. X.509.  Therefore, it cannot be imported into the keystore.

      I tried to import the PGP certificate into the keystore in the past, but error resulted.



      • Hi William,

        this is a very nice blog. However I have got few questions here.

        I haven't worked on PGP module before but It seems that PGP uses Self signed certificate, leaving certificate and key management to users.Thus when estimating the effort required, something that may appear to reduce developement effort may increase subsequent administration and support effort. Is that correct?

        Also, PGP carries out a public-key encryption for each message. Public-Key encryption is orders of magnitude slower than symmetric key encryption. While that may not matter for occasional messages, it can have huge performance impact on frequent messages. Is that correct?

        We have requirement in our project to encrypt/decrypt and sign the messages before sending it to 3rd party and I am tempted to use PGP Add-ons but before that would like to find out if there are any sorts of obligations to use this algorithm.



        • Hi,

          I am not an expert on public-key infrastructure.  I do not believe there is a Certificate Authority (CA) who manages PGP public-private keys.  Maybe other readers will know. 

          As for symmetric vs asymmetric, symmetric key requires that both parties have the same key.  This can cause security problems.  With asymmetric, the public key can be used by anyone to encrypt, and only you have the private key to be able to decrypt the msg.  With symmetric key, all parties will have to have the same key.  Performance shoud have minimum impact for using asymmetric keys.

          PGP is publicly available and there is no restriction on its usage...everyone can use it.



          • thanks for the information William.

            Can you please let me know if uploading Private/Public key pair is one off activity and do we have to do it once for every system (e.g. one for for for Prod) ?



          • Hi Pratibha,

            I think this is something you can check with your management.  I think you can have one pair for DEV and QA, for development and testing purposes.  Then, another pair for PRD.



  • Thanks Bill for sharing this. The add-on gets a Thumbs up from me as we have implemented it in our project and it worked pretty smooth, considering the fact that it was released recently. (end of March'12)

    Pratibha Sethi my 2 cents on your questions:

    >> reduce developement effort may increase subsequent administration and support effort

    There could be some work associated, but it is not ever-increasing and time consuming work. I have seen some of the clients using never-expiring keys.

    >> it can have huge performance impact on frequent messages. Is that correct?

    Any encryption at PI message level will have some performance impact. But this is always subject to volume and sizing exercise. Note that compressing the payloads while encrypting reduces the load on the server and therefore should be chosen appropriately.

    I shared some of my experience earlier here:

    >>do we have to do it once for every system (e.g. one for for for Prod) ?

    You don't have to. Again, I have seen client using the same certificate for all the environments.


    Prateek Raj Srivastava

    • Hi Experts,

      My scenario is like

      Currently we are implementing SAP (ERP software) across the company and we have a requirement to send the EFT’s (payments) file by building an integrated interface with some bank. Initially, SAP FI generates the file and is placed in a predefined directory in client ERP on outbound side and PI needs to encrypt the file using PGP by AES 128/256 algorithm & need to post the xls files to SFTP/FTP folder on inbound side from where a server at Bank’s end will pick the file on a scheduled basis.

      Regarding the above scenario Bank people[inbound]  side confirmed that they use AES128 algorithm only but not PGP. My question is PI encrypt the file using PGP with AES128, what mechanism do bank people[inbound] side follow to decrypt it with their private key or should they use only PGP to decrypt the encrypted file from PI or can they follow some other way to decrypt it by their own private key? I mean to ask however PI use only PGP to encrypt the file, is it required bank[inbound] receiver side also use PGP to decrypt or can they use another mechanism to decrypt by private key + AES128 ?


  • Hi William Li,

    Can I use the above module to insert a digital signature in PDF document say it is an passthrough scenario where I do no transformation other than just inserting digital signature. Pls confirm whether it is possible by above standard module with out using any custom module if so pls let me know additional steps if any.

    Thnx, Nithin.

    • Hi Pattanant, I've same problem.

      I check and password is OK.

      Could you solve your problem?

      Please share the solution.

      Thanks in advance.

      • Hi All,

        How did you solve this issue ?

        Error:Org.bouncycastle.openpgp.PGPException:A fitting private key for the encrypted data could not be found : check the password




  • /