Skip to Content
Technical Articles

Cloud Integration – Import and Export PGP Secret Key – Change PGP Secret Key Password

In SAP Cloud Integration, you can upload a PGP secring.gpg for using secret keys in the PGP decryption or encryption step of your integration flow. The SAP help documentation describes how to export and import PGP public keys with the help of the Gnu Privacy Assistant. Yet, there are no details on how to export and import PGP secret keys. Here, we provide a step by step description on how to import and export PGP secret keys from a PGP secring deployed on your Cloud Integration tenant via the GPG command line tool. Furthermore, we also provide a description on how to change the password of a secret key.

Prerequisites

Export a PGP Secret Key

Download your PGP secret keyring from the Cloud Integration WEB UI using the Administrator user. The downloaded file must have the name “secring.gpg”.

In case you got the PGP secret keyring “secring.gpg” from somewhere else (because you want to add the secret keys of this secring to the secring uploaded to your Cloud Integration tenant), you can use also the following steps to first export the secret keys and you can use the commands of the following chapter “Import PGP Secret Key” to import the secret keys.

  1. Enter the downloaded file secring.gpg into an empty directory. In the following, we assume that the directory path is given by C:/source.
  2. List the content of the secring with the following gpg command:
    ​gpg  --homedir=C:/source --list-secret-keys

    Example output of the command:

    ...
    C:/source/secring.gpg
    ---------------------
    sec   2048R/BBB29842 2021-01-17
    uid                  source <souce@source.com>
    ssb   2048R/64FACE2B 2021-01-17​
  3. Find out the uid (user ID) of the secret key you want to export. You can see the uid(s) of the secret keys from the output display of the previous command. In the example above, we only have one secret key with uid=”source <souce@source.com>“. We will use this uid in the following command.
  4. Export the secret key with the found uid with the following command into a file (below we use the file name “my-secret-key.pem“):
    gpg  --homedir=C:/source --armor --export-secret-key "source <souce@source.com" > my-secret-key.pem​

You can now use the exported file “my-secret-key.pem” in the following chapter to import the secret key into another PGP secring.

Import PGP Secret Key

You now need the secrete key file which was produced in a similar why as shown in the previous chapter “Export a PGP Secret Key”.  In the following, we assume that you have such kind of file with the name “my-secret-key.pem” in the directory where you execute the gpg commands. Execute the following commands to import a PGP secret key into a PGP secret keyring with the name “secring.gpg”. For example, you can get the secring.gpg by downloading this file from your Cloud Integration tenant.

  1. Store the PGP secret keyring with the name “secring.gpg” into the empty directory C:/target. You can also choose another directory name but keep in mind that the following commands assume that the directory name is C:/target.
  2. List the secret keys which are already contained in the PGP secret keyring:
    gpg  --homedir=C:/target --list-secret-keys​

    Output Example of this command:

    C:/target/secring.gpg
    ---------------------
    sec   2048R/5D629E05 2021-01-17
    uid                  target <target@target.com>
    ssb   2048R/18A00B85 2021-01-17
  3. Import the secret key (as an example, we use the file “my-secret-key.pem” which contains the secret key):
    gpg --homedir=C:/target --import my-secret-key.pem​

    Output Example of this command:

    gpg: key BBB29842: secret key imported
    gpg: key BBB29842: public key "source <souce@source.com>" imported
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)
    gpg:       secret keys read: 1
    gpg:   secret keys imported: 1​
  4. List the secret keys of the PGP secret keyring to check whether successful import was successful:
    gpg  --homedir=C:/target --list-secret-keys​

    Output example of the command:

    C:/target/secring.gpg
    ---------------------
    sec   2048R/5D629E05 2021-01-17
    uid                  target <target@target.com>
    ssb   2048R/18A00B85 2021-01-17
     
    sec   2048R/BBB29842 2021-01-17
    uid                  source <souce@source.com>
    ssb   2048R/64FACE2B 2021-01-17​

Once you’ve imported all the secret keys you need, you can use the PGP secret keyring file secring.gpg for uploading into the Cloud Integration tenant. Note: All secret keys in the secret keyring must have the same password. If this is not the case, read the following chapter on how to change the password of a secret key in a PGP secret keyring.

Change Secret Key Password

In the following, we assume that you have a secret keyring with the name secring.gpg in the folder C:/target and that you want to change the password of a the secret key in this keyring.

We use the tool GNU Privacy Assistant which provides a UI.

Prerequisites:

Now execute the following steps:

  1. Execute run_gpa.bat in the folder C:/target. You will get the following UI:
  2. Select the private key for which you want to change the password and right-click it. From the menu, choose the option “Edit Private Key…“. The following pop-up appears:
  3. Now, select “Change passphrase” and follow the instructions.

After you have adapted the passwords of the secret keys you can upload the secring.gpg file to your Cloud Integration tenant.

 

2 Comments
You must be Logged on to comment or reply to a post.
  • Hi @Franz Forsthofer - Thanks for providing detailed steps for import the multiple secret keys into secring.. it would have been nice if we have UI Screen for the secret keys similar to the public key imports.

    Note: All secret keys in the secret keyring must have the same password

    Regarding the above note, is this a limitation at CPI end ? As there can be a cases where the passwords can be different.

    Thanks & Regards

    Rajesh Pasupula