Technical Articles
Cloud Integration – How to use PGP Keys Monitor
Introduction
SAP Cloud Integration PGP Keys Monitor enables you to manage PGP keyrings (secring, pubring).
- The 3rd increment which is available with the 2023 April software update ((Neo 5.46.x, CF 6.38.x) will add single key operations to the PGP Monitor (upload, delete, download)
- With the 2nd increment, which is made available with the 2023 January update (Neo 5.43.x, CF 6.35.x), the PGP Monitor is enhanced with the capability to display the key details
- First version of the PGP Keys Monitor was made available with the 2022 April update (Neo 5.35.x, CF 6.27.x)
With previous SAP Cloud Integration releases, the PGP Secret Keyring and PGP Public Keyring were managed in the Cloud Integration Monitor section under Manage Security using the Security Material tile. Here, you had the option to upload, download, and delete secret and public keyrings.
SAP Cloud Integration manages only a single secret and a single public keyring which include the corresponding secret and public keys.
PGP Public Keyring (pubring): This artifact contains the public keys that enables the tenant to encrypt or verify messages using the Pretty Good Privacy (PGP) standard.
PGP Secret Keyring (secring): This artifact contains the PGP secret keys (also referred to as private keys) for the usage of Open Pretty Good Privacy (PGP). The private key enables the tenant to decrypt or sign messages.
Please see SAP Help – How OpenPGP Works.
PGP Keys Monitor
Now, a new PGP Keys Monitor is available on your SAP Cloud Integration tenant. To access it, go to the Monitor section and under Manage Security select the PGP Keys tile:
Overview PGP Keys
The PGP Keys monitor allows you to manage the public and private PGP keys.
A list of public and secret PGP keys is displayed in a table. For each artifact, the following attributes are displayed:
Attribute | Description |
User ID | States the User ID of this PGP key. |
Type | Indicates whether the entry is a public PGP or a secret PGP key. |
Key ID | States the key ID. |
Validity State | Indicates the validity state. The following states are possible:
|
Valid Until | Indicates the expiration date. |
Modified On | Indicates the date and time the entry was last modified. |
PGP Keys Monitor: Actions
- The current scope of the the PGP Key Monitor comprises the following features:
- Uploading secret, public keyrings (single key and multiple keys)
- Downloading secret, public keyrings (single key and entire keyring)
- Deleting secret, public keys (single key)
Add
To upload public or secret keys, choose one of the following options:
- Add –> Public Keys
- Add –> Secret Keys
In the previous versions before adding a new secret or public keyring file, it was only possible to replace the entire existing keyring with the new one. This behaviour has been improved in a way that users can decide which upload option to be used.
Adding Secret, Public Keys
The selected keyring file can contain 1 or several PGP secret or public keys depending on the chosen action, but it can be either public or secret keys in one file.
The keys must be in one of the following formats:
- Binary format (typical file extension: .gpg)
- ASCII armored format (typical file extension: .asc)
Following Upload options are available:
Add |
Adds the entries from the uploaded keyring. These are merged with the existing keys. When you select the option Overwrite Existing Keys, existing entries are overwritten by uploaded entries with the same KeyId value. Note: A PGP key is considered identical to another one if the hexadecimal KeyId value of both keys matches. Note that there can be several distinct PGP keys with the same UserId. |
Replace |
Replaces existing keyring including all keys with the uploaded one (same behaviour as in previous versions). Replaces the whole keyring with the uploaded one (replaces only the keys that are already available). You need to confirm the replacement of the existing keys. WARNING: You will replace the entire keyring when adding a new one. Make sure that you keep your external backup. |
After a successful upload, a dialog is displayed showing the summary of the added, removed, changed, and not imported keys, if there are any. If any keys were not uploaded, information is provided to explain why (for example, the key with the same key id already exists). The keys in the table refresh automatically. You can also manually refresh the list by clicking the refresh button.
Download
To download public or secret keys, choose one of the following options:
- Download –> Public Keys
- Download –> Secret Keys
This option will download the entire secret or public keyring.
To download a specific single key, choose the download icon.
In case that for a Key Id secret and public key exists, you must choose which one to download. For downloading the secret key, a passphrase is required to encrypt the key.
Delete
Deletion of single keys can be done from the overview; this functionality has been moved from the Manage Security Materials.
The following table provides more information on these actions:
Action | Description |
Add public key or secret keys |
To add a public or secret keyring, select Add Public or Secret Keys. When adding a secret keyring, you need to specify the key passphrase. |
Download | To download an artifact, select the artifact in the table and choose Download Public Key or Secret Keys. |
Download a single key |
To download a dedicated key as a file, click the download button at the end of the row of the key. When downloading a secret key, you need to specify the key passphrase twice. |
Delete | To delete a dedicated key, click the delete button at the end of the row of the key. |
PGP Keys Monitor: Key Details
You can view the key details by clicking on the corresponding key to show the deails.
The Key Details tab shows the following attributes for the selected key, additionally the actions for downloading and deleting the selected key are available in the key details.
Attribute | Description |
Fingerprint |
Character sequence that identifies the public key. A fingerprint is generated out of the public key applying a hash function on the public key. |
User IDs |
User IDs associated with the key. In the context of PGP, a user ID indicates the entity that uses the key to perform a dedicated action on the message content. The user ID can be a name, an email address, or a combination of both. Examples:
|
PGP Keys |
This section shows a set of attributes for the key and (if defined) its subkeys. The following attributes are displayed:
|
Authorizations
To protect the use of PGP Keys monitor, the following roles are available:
Task | Role (Neo) | Role-Template (Cloud Foundry) |
Add PGP keyring artifacts | NodeManager.deploysecuritycontent NodeManager.deploycontent |
SecurityMaterialEdit |
Undeploy PGP keyring artifacts | NodeManager.deploycontent NodeManager.deploysecuritycontent |
SecurityMaterialEdit |
Download PGP keyring artifacts | NodeManager.read NodeManager.readsecuritycontent |
SecurityMaterialDownload |
Display PGP keyring artifacts | NodeManager.read | MonitoringDataRead |
Planned Iterations: PGP Key Monitor
- Upload/Download PGP Keyrings: Operation on entire keyrings (Available: April 2022, Neo 5.35.x, CF 6.27.x)
- Display Key details: Display secret, public key details (Available: January 2023, Neo 5.43.x, CF 6.35.x)
- Single Key Operations: Add, Download, Delete single secret, public keys
Availability of the single key operations would retire the Manage Security Material secret, public key display and delete functionality (Available: April 2023, Neo 5.46.x, CF 6.38.x)
Further Information
SAP Help: Managing PGP Keys
SAP Help: How OpenPGP Works
SAP Blog: Cloud Integration – Import and Export PGP Secret Key – Change PGP Secret Key Password
Hi Marco Freischlag,
nice feature. I am looking forward to the "Single Key Operations" as this would make the need for an external PGP Key handling tool obsolete in most cases. Currently it would be nice if this warning you have written here would be also displayed in the WebUI, because to replace the key ring one has to press the Add button in the WebUI. So someone who has not read the documentation or your blog could assume that the uploaded keys are added to the key ring in CPI when actually there is a replace operation happening.
BR, Benjamin
Hi Benjamin,
please stay tuned. In the next increment, which is currently been developed, you can expect some changes in the upload dialogue which enable you to have a better control and not being forced to replace the entire key ring every time.
Regards Marco
Hello Marco,
Thank you, product management and development teams for introducing these new features to the PGP keys monitor, the tool becomes more and more instrumental and feature-rich with those increments, and reduces dependency on external PGP key management tools.
An idea/proposal that came to my mind after using the PGP keys monitor and in particular, when downloading keys from there, is: would you consider introducing an option to download a public key out of a secret key stored in the secret keyring in a Cloud Integration tenant?
A use case when the above-described feature may become relevant is, for example, when a PGP key pair was generated, a secret key was imported into a secret keyring in a Cloud Integration tenant and is used in integration flows, a public key needs to be communicated to an integrated counterpart that shall use it to encrypt a message content or to verify a signature, but a public key got lost later and, for some reason, there are no copies of the public key that can be restored from other locations or recovered by other means. Since we can technically restore/regenerate a public key from a secret key, and as far as a secret key is available and is not compromised, we shall not need to regenerate the entire PGP key pair and use a new secret key in existing scenarios if we only lost a public key.
Currently, we can use external / 3rd party tools (for example, GnuPG) for this. The approach that I can think of (and that I used in the past), would comprise the following steps:
If this feature is a part of the PGP keys monitor in Cloud Integration, we will not need an external tool to get utilized and will not need to use temporary keyrings outside of a Cloud Integration tenant.
Regards,
Vadim
Thanks Vadim for your feedback. You point are valid and we already discussed some options.
We keep this feature in mind for the next planning of PGP increments.
Regards Marco
Marco, thank you for your comment and for consideration of this feature. I will be looking forward to new increments of a PGP keys monitor, this tool truly makes it simpler and more convenient to manage PGP keys in Cloud Integration.
Regards,
Vadim