Technical Articles

April 26, 2022 6 minute read

Cloud Integration – How to use PGP Keys Monitor

Introduction

SAP Cloud Integration PGP Keys Monitor enables you to manage PGP keyrings (secring, pubring).

The 3^rd increment which is available with the 2023 April software update ((Neo 5.46.x, CF 6.38.x) will add single key operations to the PGP Monitor (upload, delete, download)
With the 2nd increment, which is made available with the 2023 January update (Neo 5.43.x, CF 6.35.x), the PGP Monitor is enhanced with the capability to display the key details
First version of the PGP Keys Monitor was made available with the 2022 April update (Neo 5.35.x, CF 6.27.x)

With previous SAP Cloud Integration releases, the PGP Secret Keyring and PGP Public Keyring were managed in the Cloud Integration Monitor section under Manage Security using the Security Material tile. Here, you had the option to upload, download, and delete secret and public keyrings.
SAP Cloud Integration manages only a single secret and a single public keyring which include the corresponding secret and public keys.

PGP Public Keyring (pubring): This artifact contains the public keys that enables the tenant to encrypt or verify messages using the Pretty Good Privacy (PGP) standard.

PGP Secret Keyring (secring): This artifact contains the PGP secret keys (also referred to as private keys) for the usage of Open Pretty Good Privacy (PGP). The private key enables the tenant to decrypt or sign messages.

Please see SAP Help – How OpenPGP Works.

PGP Keys Monitor

Now, a new PGP Keys Monitor is available on your SAP Cloud Integration tenant. To access it, go to the Monitor section and under Manage Security select the PGP Keys tile:

PGP_Overview_Manage_Security

Overview PGP Keys

The PGP Keys monitor allows you to manage the public and private PGP keys.

A list of public and secret PGP keys is displayed in a table. For each artifact, the following attributes are displayed:

Attribute	Description
User ID	States the User ID of this PGP key.
Type	Indicates whether the entry is a public PGP or a secret PGP key.
Key ID	States the key ID.
Validity State	Indicates the validity state. The following states are possible: Valid: The PGP key is valid. Critical: The PGP key expires within the next 14 days Expired: The PGP key is no longer valid.
Valid Until	Indicates the expiration date.
Modified On	Indicates the date and time the entry was last modified.

PGP Keys Monitor: Actions

The current scope of the the PGP Key Monitor comprises the following features:
- Uploading secret, public keyrings (single key and multiple keys)
- Downloading secret, public keyrings (single key and entire keyring)
- Deleting secret, public keys (single key)

Add

To upload public or secret keys, choose one of the following options:

Add –> Public Keys
Add –> Secret Keys

In the previous versions before adding a new secret or public keyring file, it was only possible to replace the entire existing keyring with the new one. This behaviour has been improved in a way that users can decide which upload option to be used.

Adding Secret, Public Keys

The selected keyring file can contain 1 or several PGP secret or public keys depending on the chosen action, but it can be either public or secret keys in one file.

The keys must be in one of the following formats:

Binary format (typical file extension: .gpg)
ASCII armored format (typical file extension: .asc)

Following Upload options are available:

Add

Adds the entries from the uploaded keyring. These are merged with the existing keys.

When you select the option Overwrite Existing Keys, existing entries are overwritten by uploaded entries with the same KeyId value.

Note:

A PGP key is considered identical to another one if the hexadecimal KeyId value of both keys matches. Note that there can be several distinct PGP keys with the same UserId.

Replace

Replaces existing keyring including all keys with the uploaded one (same behaviour as in previous versions).

Replaces the whole keyring with the uploaded one (replaces only the keys that are already available).

You need to confirm the replacement of the existing keys.

WARNING: You will replace the entire keyring when adding a new one. Make sure that you keep your external backup.

After a successful upload, a dialog is displayed showing the summary of the added, removed, changed, and not imported keys, if there are any. If any keys were not uploaded, information is provided to explain why (for example, the key with the same key id already exists). The keys in the table refresh automatically. You can also manually refresh the list by clicking the refresh button.

Download

To download public or secret keys, choose one of the following options:

Download –> Public Keys
Download –> Secret Keys

This option will download the entire secret or public keyring.

To download a specific single key, choose the download icon.

In case that for a Key Id secret and public key exists, you must choose which one to download. For downloading the secret key, a passphrase is required to encrypt the key.

Delete

Deletion of single keys can be done from the overview; this functionality has been moved from the Manage Security Materials.

The following table provides more information on these actions:

Action	Description
Add public key or secret keys	To add a public or secret keyring, select Add Public or Secret Keys. When adding a secret keyring, you need to specify the key passphrase.
Download	To download an artifact, select the artifact in the table and choose Download Public Key or Secret Keys.
Download a single key	To download a dedicated key as a file, click the download button at the end of the row of the key. When downloading a secret key, you need to specify the key passphrase twice.
Delete	To delete a dedicated key, click the delete button at the end of the row of the key.

PGP Keys Monitor: Key Details

You can view the key details by clicking on the corresponding key to show the deails.

The Key Details tab shows the following attributes for the selected key, additionally the actions for downloading and deleting the selected key are available in the key details.

Attribute	Description
Fingerprint	Character sequence that identifies the public key. A fingerprint is generated out of the public key applying a hash function on the public key.
User IDs	User IDs associated with the key. In the context of PGP, a user ID indicates the entity that uses the key to perform a dedicated action on the message content. The user ID can be a name, an email address, or a combination of both. Examples: A user ID associated with a public PGP key indicates the entity that receives the message encrypted with the public key. A user ID associated with a secret PGP key indicates the entity that sends the encrypted message that is to be decrypted using the secret key.
PGP Keys	This section shows a set of attributes for the key and (if defined) its subkeys. The following attributes are displayed: ID: Key ID that uniquely identifies the key or sub key Type: Indicates if this is a public or a secret key Strength: The length of the key in bits Usage (Key Flags): Shows for which activity the key is used, for example, for message encryption Valid From, Valid Until: Indicates the expiration date Modified On: Indicates the date and time the key was last modified

Authorizations

To protect the use of PGP Keys monitor, the following roles are available:

Task	Role (Neo)	Role-Template (Cloud Foundry)
Add PGP keyring artifacts	NodeManager.deploysecuritycontent NodeManager.deploycontent	SecurityMaterialEdit
Undeploy PGP keyring artifacts	NodeManager.deploycontent NodeManager.deploysecuritycontent	SecurityMaterialEdit
Download PGP keyring artifacts	NodeManager.read NodeManager.readsecuritycontent	SecurityMaterialDownload
Display PGP keyring artifacts	NodeManager.read	MonitoringDataRead

Planned Iterations: PGP Key Monitor

Upload/Download PGP Keyrings: Operation on entire keyrings (Available: April 2022, Neo 5.35.x, CF 6.27.x)
Display Key details: Display secret, public key details (Available: January 2023, Neo 5.43.x, CF 6.35.x)
Single Key Operations: Add, Download, Delete single secret, public keys
Availability of the single key operations would retire the Manage Security Material secret, public key display and delete functionality (Available: April 2023, Neo 5.46.x, CF 6.38.x)

Further Information

SAP Help: Managing PGP Keys
SAP Help: How OpenPGP Works
SAP Blog: Cloud Integration – Import and Export PGP Secret Key – Change PGP Secret Key Password

5 Comments

You must be Logged on to comment or reply to a post.

Benjamin Nehring

January 16, 2023 at 11:12 am

Hi Marco Freischlag,

nice feature. I am looking forward to the "Single Key Operations" as this would make the need for an external PGP Key handling tool obsolete in most cases. Currently it would be nice if this warning you have written here would be also displayed in the WebUI, because to replace the key ring one has to press the Add button in the WebUI. So someone who has not read the documentation or your blog could assume that the uploaded keys are added to the key ring in CPI when actually there is a replace operation happening.

BR, Benjamin

Marco Freischlag

Blog Post Author

January 19, 2023 at 12:10 pm

Hi Benjamin,

please stay tuned. In the next increment, which is currently been developed, you can expect some changes in the upload dialogue which enable you to have a better control and not being forced to replace the entire key ring every time.

Regards Marco

Vadim Klimov

April 13, 2023 at 12:57 pm

Hello Marco,

Thank you, product management and development teams for introducing these new features to the PGP keys monitor, the tool becomes more and more instrumental and feature-rich with those increments, and reduces dependency on external PGP key management tools.

An idea/proposal that came to my mind after using the PGP keys monitor and in particular, when downloading keys from there, is: would you consider introducing an option to download a public key out of a secret key stored in the secret keyring in a Cloud Integration tenant?

A use case when the above-described feature may become relevant is, for example, when a PGP key pair was generated, a secret key was imported into a secret keyring in a Cloud Integration tenant and is used in integration flows, a public key needs to be communicated to an integrated counterpart that shall use it to encrypt a message content or to verify a signature, but a public key got lost later and, for some reason, there are no copies of the public key that can be restored from other locations or recovered by other means. Since we can technically restore/regenerate a public key from a secret key, and as far as a secret key is available and is not compromised, we shall not need to regenerate the entire PGP key pair and use a new secret key in existing scenarios if we only lost a public key.

Currently, we can use external / 3rd party tools (for example, GnuPG) for this. The approach that I can think of (and that I used in the past), would comprise the following steps:

Obtain a secret key and a passphrase for it (now, a secret key can be downloaded from a Cloud Integration tenant using the PGP keys monitor),
Import a secret key to a temporary keyring (this operation will implicitly trigger the generation of a corresponding public key in a public keyring),
Export a newly generated public key from a public keyring.

If this feature is a part of the PGP keys monitor in Cloud Integration, we will not need an external tool to get utilized and will not need to use temporary keyrings outside of a Cloud Integration tenant.

Regards,

Vadim