Skip to Content
Technical Articles
Author's profile photo Marco Freischlag

Cloud Integration – How to use PGP Keys Monitor

Introduction

SAP Cloud Integration PGP Keys Monitor enables you to manage PGP keyrings (secring, pubring).

  • The 3rd increment which is available with the 2023 April software update ((Neo 5.46.x, CF 6.38.x) will add single key operations to the PGP Monitor (upload, delete, download)
  • With the 2nd increment, which is made available with the 2023 January update (Neo 5.43.x, CF 6.35.x), the PGP Monitor is enhanced with the capability to display the key details
  • First version of the PGP Keys Monitor was made available with the 2022 April update (Neo 5.35.x, CF 6.27.x)

With previous SAP Cloud Integration releases, the PGP Secret Keyring and PGP Public Keyring were managed in the Cloud Integration Monitor section under Manage Security using the Security Material tile. Here, you had the option to upload, download, and delete secret and public keyrings.
SAP Cloud Integration manages only a single secret and a single public keyring which include the corresponding secret and public keys.

PGP Public Keyring (pubring): This artifact contains the public keys that enables the tenant to encrypt or verify messages using the Pretty Good Privacy (PGP) standard.

PGP Secret Keyring (secring): This artifact contains the PGP secret keys (also referred to as private keys) for the usage of Open Pretty Good Privacy (PGP). The private key enables the tenant to decrypt or sign messages.

Please see SAP Help – How OpenPGP Works.

PGP Keys Monitor

Now, a new PGP Keys Monitor is available on your SAP Cloud Integration tenant. To access it, go to the Monitor section and under Manage Security select the PGP Keys tile:

PGP_Overview_Manage_Security

Overview PGP Keys

The PGP Keys monitor allows you to manage the public and private PGP keys.

 

A list of public and secret PGP keys is displayed in a table. For each artifact, the following attributes are displayed:

Attribute Description
User ID States the User ID of this PGP key.
Type Indicates whether the entry is a public PGP or a secret PGP key.
Key ID States the key ID.
Validity State Indicates the validity state. The following states are possible:

  • Valid: The PGP key is valid.
  • Critical: The PGP key expires within the next 14 days
  • Expired: The PGP key is no longer valid.
Valid Until Indicates the expiration date.
Modified On Indicates the date and time the entry was last modified.

PGP Keys Monitor: Actions

  • The current scope of the the PGP Key Monitor comprises the following features:
    • Uploading secret, public keyrings (single key and multiple keys)
    • Downloading secret, public keyrings (single key and entire keyring)
    • Deleting secret, public keys (single key)

Add

To upload public or secret keys, choose one of the following options:

  • Add –> Public Keys
  • Add –> Secret Keys

In the previous versions before adding a new secret or public keyring file, it was only possible to replace the entire existing keyring with the new one. This behaviour has been improved in a way that users can decide which upload option to be used.

Adding Secret, Public Keys

The selected keyring file can contain 1 or several PGP secret or public keys depending on the chosen action, but it can be either public or secret keys in one file.

The keys must be in one of the following formats:

  • Binary format (typical file extension: .gpg)
  • ASCII armored format (typical file extension: .asc)

Following Upload options are available:

Add

Adds the entries from the uploaded keyring. These are merged with the existing keys.

When you select the option Overwrite Existing Keys, existing entries are overwritten by uploaded entries with the same KeyId value.

Note:

A PGP key is considered identical to another one if the hexadecimal KeyId value of both keys matches. Note that there can be several distinct PGP keys with the same UserId.

Replace           

Replaces existing keyring including all keys with the uploaded one (same behaviour as in previous versions).

Replaces the whole keyring with the uploaded one (replaces only the keys that are already available).

You need to confirm the replacement of the existing keys.

WARNING: You will replace the entire keyring when adding a new one. Make sure that you keep your external backup.

After a successful upload, a dialog is displayed showing the summary of the added, removed, changed, and not imported keys, if there are any. If any keys were not uploaded, information is provided to explain why (for example, the key with the same key id already exists). The keys in the table refresh automatically. You can also manually refresh the list by clicking the refresh button.

 

Download

To download public or secret keys, choose one of the following options:

  • Download –> Public Keys
  • Download –> Secret Keys

This option will download the entire secret or public keyring.

To download a specific single key, choose the download icon.

In case that for a Key Id secret and public key exists, you must choose which one to download. For downloading the secret key, a passphrase is required to encrypt the key.

 

Delete

Deletion of single keys can be done from the overview; this functionality has been moved from the Manage Security Materials.

 

The following table provides more information on these actions:

Action Description
Add public key or secret keys

To add a public or secret keyring, select Add  Public or Secret Keys.

When adding a secret keyring, you need to specify the key passphrase.

Download To download an artifact, select the artifact in the table and choose Download Public Key or Secret Keys.
Download a single key

To download a dedicated key as a file, click the download button at the end of the row of the key.

When downloading a secret key, you need to specify the key passphrase twice.

Delete To delete a dedicated key, click the delete button at the end of the row of the key.

 

PGP Keys Monitor: Key Details

You can view the key details by clicking on the corresponding key to show the deails.

The Key Details tab shows the following attributes for the selected key, additionally the actions for downloading and deleting the selected key are available in the key details.

Attribute Description
Fingerprint

Character sequence that identifies the public key.

A fingerprint is generated out of the public key applying a hash function on the public key.

User IDs

User IDs associated with the key.

In the context of PGP, a user ID indicates the entity that uses the key to perform a dedicated action on the message content.

The user ID can be a name, an email address, or a combination of both.

Examples:

  • A user ID associated with a public PGP key indicates the entity that receives the message encrypted with the public key.
  • A user ID associated with a secret PGP key indicates the entity that sends the encrypted message that is to be decrypted using the secret key.
PGP Keys

This section shows a set of attributes for the key and (if defined) its subkeys.

The following attributes are displayed:

  • ID: Key ID that uniquely identifies the key or sub key

  • Type: Indicates if this is a public or a secret key

  • Strength: The length of the key in bits

  • Usage (Key Flags): Shows for which activity the key is used, for example, for message encryption

  • Valid From, Valid Until: Indicates the expiration date

  • Modified On: Indicates the date and time the key was last modified

 

Authorizations

To protect the use of PGP Keys monitor, the following roles are available:

Task Role (Neo) Role-Template (Cloud Foundry)
Add PGP keyring artifacts NodeManager.deploysecuritycontent
NodeManager.deploycontent
SecurityMaterialEdit
Undeploy PGP keyring artifacts NodeManager.deploycontent
NodeManager.deploysecuritycontent
SecurityMaterialEdit
Download PGP keyring artifacts NodeManager.read
NodeManager.readsecuritycontent
SecurityMaterialDownload
Display PGP keyring artifacts NodeManager.read MonitoringDataRead

Planned Iterations: PGP Key Monitor

  1. Upload/Download PGP Keyrings: Operation on entire keyrings (Available: April 2022, Neo 5.35.x, CF 6.27.x)
  2. Display Key details: Display secret, public key details (Available: January 2023, Neo 5.43.x, CF 6.35.x)
  3. Single Key Operations: Add, Download, Delete single secret, public keys
    Availability of the single key operations would retire the Manage Security Material secret, public key display and delete functionality (Available: April 2023, Neo 5.46.x, CF 6.38.x)

Further Information

SAP Help: Managing PGP Keys
SAP Help: How OpenPGP Works 
SAP Blog: Cloud Integration – Import and Export PGP Secret Key – Change PGP Secret Key Password

Assigned Tags

      5 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Benjamin Nehring
      Benjamin Nehring

      Hi Marco Freischlag,

      nice feature. I am looking forward to the "Single Key Operations" as this would make the need for an external PGP Key handling tool obsolete in most cases. Currently it would be nice if this warning you have written here would be also displayed in the WebUI, because to replace the key ring one has to press the Add button in the WebUI. So someone who has not read the documentation or your blog could assume that the uploaded keys are added to the key ring in CPI when actually there is a replace operation happening.

      BR, Benjamin

       

      Author's profile photo Marco Freischlag
      Marco Freischlag
      Blog Post Author

      Hi Benjamin,

      please stay tuned. In the next increment, which is currently been developed, you can expect some changes in the upload dialogue which enable you to have a better control and not being forced to replace the entire key ring every time.

      Regards Marco

      Author's profile photo Vadim Klimov
      Vadim Klimov

      Hello Marco,

      Thank you, product management and development teams for introducing these new features to the PGP keys monitor, the tool becomes more and more instrumental and feature-rich with those increments, and reduces dependency on external PGP key management tools.

      An idea/proposal that came to my mind after using the PGP keys monitor and in particular, when downloading keys from there, is: would you consider introducing an option to download a public key out of a secret key stored in the secret keyring in a Cloud Integration tenant?

      A use case when the above-described feature may become relevant is, for example, when a PGP key pair was generated, a secret key was imported into a secret keyring in a Cloud Integration tenant and is used in integration flows, a public key needs to be communicated to an integrated counterpart that shall use it to encrypt a message content or to verify a signature, but a public key got lost later and, for some reason, there are no copies of the public key that can be restored from other locations or recovered by other means. Since we can technically restore/regenerate a public key from a secret key, and as far as a secret key is available and is not compromised, we shall not need to regenerate the entire PGP key pair and use a new secret key in existing scenarios if we only lost a public key.

      Currently, we can use external / 3rd party tools (for example, GnuPG) for this. The approach that I can think of (and that I used in the past), would comprise the following steps:

      1. Obtain a secret key and a passphrase for it (now, a secret key can be downloaded from a Cloud Integration tenant using the PGP keys monitor),
      2. Import a secret key to a temporary keyring (this operation will implicitly trigger the generation of a corresponding public key in a public keyring),
      3. Export a newly generated public key from a public keyring.

      If this feature is a part of the PGP keys monitor in Cloud Integration, we will not need an external tool to get utilized and will not need to use temporary keyrings outside of a Cloud Integration tenant.

      Regards,

      Vadim

      Author's profile photo Marco Freischlag
      Marco Freischlag
      Blog Post Author

      Thanks Vadim for your feedback. You point are valid and we already discussed some options.

      We keep this feature in mind for the next planning of PGP increments.

      Regards Marco

      Author's profile photo Vadim Klimov
      Vadim Klimov

      Marco, thank you for your comment and for consideration of this feature. I will be looking forward to new increments of a PGP keys monitor, this tool truly makes it simpler and more convenient to manage PGP keys in Cloud Integration.

      Regards,

      Vadim