How to encrypt and decrypt files using GPG – SAP Commissions
While pushing your files for processing, you keep your data in form of files. But what if the data you are storing is sensitive. How can you protect that from unauthorized access? One of the ways is encrypting the files using GPG. In this blog, I’ll tell you what GPG is and how you can use it to encrypt and decrypt files when sending it fo sFTP Commissions dropbox for files to process…
What are GPG keys
GPG stands for GNU Privacy Guard. It uses the concept of Asymmetric encryption. Let’s see how asymmetric encryption works and how is it different from Symmetric encryption which we generally use.
In Symmetric encryption, there is only one key, generally known as password, which we use to encrypt/decrypt the files. Now the problem here is, how will you share the same password over the network to the sender/receiver. This problem is solved in Asymmetric Encryption. Le’s see how.
In Asymmetric encryption, there is a pair of keys, one public and one private. The owner can share the public key with anyone whosoever wants to send the files in an encrypted format. That encrypted file is then sent back to the owner and that can only be decrypted by the corresponding private key.
GPG Use Cases
- Encryption: Used to encrypt files. We can some content to someone and you don’t want anyone in the middle to read it.
- Signing Commits: Helpful for proving your identity. For eg, you can use this GPG key to sign your commits in Github, to basically verify that you’re the one actually done it.
- Encrypting Passwords: Very helpful if you use a command line password utility like a password manager called pass. It uses your GPG keys to handle the encryption for all your secrets you want to store in that password manager.
For Ubuntu/any Debian based distributions
sudo apt install gnupg
For CentOS/ RHEL based distributions
sudo yum install gnupg
List all GPG public keys
List all GPG private key pairs
Export Public Key in ASCII Format
## Output to STDOUT gpg --armor --export <email-Id> ## Output to a file gpg --armor --export --output <file.txt> <email-Id>
Encrypt a file for a specific user using GPG (Using Asymmetric Encryption)
gpg --encrypt --recipient <recipient-user-email> <file-name>
Encrypt a file using GPG (Uses Symmetric Encryption)
gpg --symmetric <file-name> ## It will prompt for a password
Decrypt that encrypted file (For Both, Symmetric and Asymmetric Encryption)
gpg --decrypt <encrypted-file>
Let’s Understand SAP Commissions Customer & Support Process for Setup
Customers can compress their data using gzip and submit it to the dropbox to save bandwidth. Also customers can now encrypt their data after you installed GPG from above steps. In this case the filename will end with .gpg. (Officially SAP Commissions considers only gpg format)
Note : GNU’s implementation of GPG by default automatically compresses the file
If customer sends a file in an encrypted (inbound) file (gpg), customers will need an encryption public key from SAP Commissions Technical Support team – (formerly called Callidus). Customers have to open a case to request the Callidus Public encryption key for inbound files.
For outbound files sent to the customer by Callidus, the customer needs to provide their public key to Callidus for encryption.
SAP Commissions Support team will find out if your tenant is configured with list of keys :
To find a list of keys on the commissions app server, to review use the following command:
The dropbox is an SFTP site. It is used by the customer to upload files for processing by ODI/CDL.
manual– This is the most commonly used folder that customers use to upload files to the dropbox. It automatically generates audit files (more on this later) for each file.
inbound– This directory is like the manual directory, but requires customers to drop their audit files along with their data files.
outbound– Some customers have custom data extracts. The extracts are available for pickup from the outbound directory.
badfiles– Any files that produce an ODI/CDL-ERROR email will be found here.
This process is applicable for both customers on Oracle & HANA.
Oracle uses ODI and HANA uses CDL for files to process
Encryption/ Decription Process FLow
More Info about SAP Commissions : Link
is it possible to use this technique in custom ODI workflow for the creation of outbound files, too? Which files are covered by this functionality.
Thanks in advance, Georg
Thanks for reading the blog !!
Above process is for standard ODI file types..
For custom ODI file types, you will have to check with SAP CallidusCloud Support team with ticket if possible to enable as exception but case to case of different customer scenario, yes its possible.