Technical Articles
Cloud Integration – Import and Export PGP Secret Key – Change PGP Secret Key Password
In SAP Cloud Integration, you can upload a PGP secring.gpg for using secret keys in the PGP decryption or encryption step of your integration flow. The SAP help documentation describes how to export and import PGP public keys with the help of the Gnu Privacy Assistant. Yet, there are no details on how to export and import PGP secret keys. Here, we provide a step by step description on how to import and export PGP secret keys from a PGP secring deployed on your Cloud Integration tenant via the GPG command line tool. Furthermore, we also provide a description on how to change the password of a secret key.
Prerequisites
- You have a SAP Cloud Integration tenant and you have a user for the WEB UI of your Cloud Integration tenant with Administrator permission (AuthGroup.Administrator for NEO environment or AuthGroup_Administrator for the Cloud Foundry environment).
- You’ve already deployed a secret keyring to your Cloud Integration tenant.
- You’ve installed the GPG tool (Version 2.3.4 as described in https://help.sap.com/viewer/368c481cd6954bdfa5d0435479fd4eaf/Cloud/en-US/b55c02524afc42cd99086a16871c0235.html) on your Windows machine.
Export a PGP Secret Key
Download your PGP secret keyring from the Cloud Integration WEB UI using the Administrator user. The downloaded file must have the name “secring.gpg”.
In case you got the PGP secret keyring “secring.gpg” from somewhere else (because you want to add the secret keys of this secring to the secring uploaded to your Cloud Integration tenant), you can use also the following steps to first export the secret keys and you can use the commands of the following chapter “Import PGP Secret Key” to import the secret keys.
- Enter the downloaded file secring.gpg into an empty directory. In the following, we assume that the directory path is given by C:/source.
- List the content of the secring with the following gpg command:
gpg --homedir=C:/source --list-secret-keysExample output of the command:
... C:/source/secring.gpg --------------------- sec 2048R/BBB29842 2021-01-17 uid source <souce@source.com> ssb 2048R/64FACE2B 2021-01-17 - Find out the uid (user ID) of the secret key you want to export. You can see the uid(s) of the secret keys from the output display of the previous command. In the example above, we only have one secret key with uid=”source <souce@source.com>“. We will use this uid in the following command.
- Export the secret key with the found uid with the following command into a file (below we use the file name “my-secret-key.pem“):
gpg --homedir=C:/source --armor --export-secret-key "source <souce@source.com" > my-secret-key.pem
You can now use the exported file “my-secret-key.pem” in the following chapter to import the secret key into another PGP secring.
Import PGP Secret Key
You now need the secrete key file which was produced in a similar why as shown in the previous chapter “Export a PGP Secret Key”. In the following, we assume that you have such kind of file with the name “my-secret-key.pem” in the directory where you execute the gpg commands. Execute the following commands to import a PGP secret key into a PGP secret keyring with the name “secring.gpg”. For example, you can get the secring.gpg by downloading this file from your Cloud Integration tenant.
- Store the PGP secret keyring with the name “secring.gpg” into the empty directory C:/target. You can also choose another directory name but keep in mind that the following commands assume that the directory name is C:/target.
- List the secret keys which are already contained in the PGP secret keyring:
gpg --homedir=C:/target --list-secret-keysOutput Example of this command:
C:/target/secring.gpg --------------------- sec 2048R/5D629E05 2021-01-17 uid target <target@target.com> ssb 2048R/18A00B85 2021-01-17 - Import the secret key (as an example, we use the file “my-secret-key.pem” which contains the secret key):
gpg --homedir=C:/target --import my-secret-key.pemOutput Example of this command:
gpg: key BBB29842: secret key imported gpg: key BBB29842: public key "source <souce@source.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: secret keys read: 1 gpg: secret keys imported: 1 - List the secret keys of the PGP secret keyring to check whether successful import was successful:
gpg --homedir=C:/target --list-secret-keysOutput example of the command:
C:/target/secring.gpg --------------------- sec 2048R/5D629E05 2021-01-17 uid target <target@target.com> ssb 2048R/18A00B85 2021-01-17 sec 2048R/BBB29842 2021-01-17 uid source <souce@source.com> ssb 2048R/64FACE2B 2021-01-17
Once you’ve imported all the secret keys you need, you can use the PGP secret keyring file secring.gpg for uploading into the Cloud Integration tenant. Note: All secret keys in the secret keyring must have the same password. If this is not the case, read the following chapter on how to change the password of a secret key in a PGP secret keyring.
Change Secret Key Password
In the following, we assume that you have a secret keyring with the name secring.gpg in the folder C:/target and that you want to change the password of a the secret key in this keyring.
We use the tool GNU Privacy Assistant which provides a UI.
Prerequisites:
- You’ve installed gpg for Windows together with the GPA tool as described in https://help.sap.com/viewer/368c481cd6954bdfa5d0435479fd4eaf/Cloud/en-US/b55c02524afc42cd99086a16871c0235.html .
- Create the file run_gpa.bat with the following content in the folder C:/target which already contains the PGP secret keyring file secring.gpg (replace <installation path of the gpa tool> by the installation path of the gpa tool):
set GNUPGHOME=C:\target echo $GNUPGHOME$ C:\<installation path of the gpa tool>\gpa
Now execute the following steps:
- Execute run_gpa.bat in the folder C:/target. You will get the following UI:
- Select the private key for which you want to change the password and right-click it. From the menu, choose the option “Edit Private Key…“. The following pop-up appears:
- Now, select “Change passphrase” and follow the instructions.
After you have adapted the passwords of the secret keys you can upload the secring.gpg file to your Cloud Integration tenant.
Hi @Franz Forsthofer - Thanks for providing detailed steps for import the multiple secret keys into secring.. it would have been nice if we have UI Screen for the secret keys similar to the public key imports.
Note: All secret keys in the secret keyring must have the same password
Regarding the above note, is this a limitation at CPI end ? As there can be a cases where the passwords can be different.
Thanks & Regards
Rajesh Pasupula
Hi Rajesh,
yes, this is a limitation of SAP Cloud Integration.
Regards Franz