Cloud Integration – How to use PGP Keys Monitor
SAP Cloud Integration PGP Keys Monitor enables you to manage PGP keyrings (secring, pubring).
- The 3rd increment which is available with the 2023 April software update ((Neo 5.46.x, CF 6.38.x) will add single key operations to the PGP Monitor (upload, delete, download)
- With the 2nd increment, which is made available with the 2023 January update (Neo 5.43.x, CF 6.35.x), the PGP Monitor is enhanced with the capability to display the key details
- First version of the PGP Keys Monitor was made available with the 2022 April update (Neo 5.35.x, CF 6.27.x)
With previous SAP Cloud Integration releases, the PGP Secret Keyring and PGP Public Keyring were managed in the Cloud Integration Monitor section under Manage Security using the Security Material tile. Here, you had the option to upload, download, and delete secret and public keyrings.
SAP Cloud Integration manages only a single secret and a single public keyring which include the corresponding secret and public keys.
PGP Public Keyring (pubring): This artifact contains the public keys that enables the tenant to encrypt or verify messages using the Pretty Good Privacy (PGP) standard.
PGP Secret Keyring (secring): This artifact contains the PGP secret keys (also referred to as private keys) for the usage of Open Pretty Good Privacy (PGP). The private key enables the tenant to decrypt or sign messages.
Please see SAP Help – How OpenPGP Works.
PGP Keys Monitor
Now, a new PGP Keys Monitor is available on your SAP Cloud Integration tenant. To access it, go to the Monitor section and under Manage Security select the PGP Keys tile:
Overview PGP Keys
The PGP Keys monitor allows you to manage the public and private PGP keys.
A list of public and secret PGP keys is displayed in a table. For each artifact, the following attributes are displayed:
|User ID||States the User ID of this PGP key.|
|Type||Indicates whether the entry is a public PGP or a secret PGP key.|
|Key ID||States the key ID.|
|Validity State||Indicates the validity state. The following states are possible:
|Valid Until||Indicates the expiration date.|
|Modified On||Indicates the date and time the entry was last modified.|
PGP Keys Monitor: Actions
- The current scope of the the PGP Key Monitor comprises the following features:
- Uploading secret, public keyrings (single key and multiple keys)
- Downloading secret, public keyrings (single key and entire keyring)
- Deleting secret, public keys (single key)
To upload public or secret keys, choose one of the following options:
- Add –> Public Keys
- Add –> Secret Keys
In the previous versions before adding a new secret or public keyring file, it was only possible to replace the entire existing keyring with the new one. This behaviour has been improved in a way that users can decide which upload option to be used.
Adding Secret, Public Keys
The selected keyring file can contain 1 or several PGP secret or public keys depending on the chosen action, but it can be either public or secret keys in one file.
The keys must be in one of the following formats:
- Binary format (typical file extension: .gpg)
- ASCII armored format (typical file extension: .asc)
Following Upload options are available:
Adds the entries from the uploaded keyring. These are merged with the existing keys.
When you select the option Overwrite Existing Keys, existing entries are overwritten by uploaded entries with the same KeyId value.
A PGP key is considered identical to another one if the hexadecimal KeyId value of both keys matches. Note that there can be several distinct PGP keys with the same UserId.
Replaces existing keyring including all keys with the uploaded one (same behaviour as in previous versions).
Replaces the whole keyring with the uploaded one (replaces only the keys that are already available).
You need to confirm the replacement of the existing keys.
WARNING: You will replace the entire keyring when adding a new one. Make sure that you keep your external backup.
After a successful upload, a dialog is displayed showing the summary of the added, removed, changed, and not imported keys, if there are any. If any keys were not uploaded, information is provided to explain why (for example, the key with the same key id already exists). The keys in the table refresh automatically. You can also manually refresh the list by clicking the refresh button.
To download public or secret keys, choose one of the following options:
- Download –> Public Keys
- Download –> Secret Keys
This option will download the entire secret or public keyring.
To download a specific single key, choose the download icon.
In case that for a Key Id secret and public key exists, you must choose which one to download. For downloading the secret key, a passphrase is required to encrypt the key.
Deletion of single keys can be done from the overview; this functionality has been moved from the Manage Security Materials.
The following table provides more information on these actions:
|Add public key or secret keys||
To add a public or secret keyring, select Add Public or Secret Keys.
When adding a secret keyring, you need to specify the key passphrase.
|Download||To download an artifact, select the artifact in the table and choose Download Public Key or Secret Keys.|
|Download a single key||
To download a dedicated key as a file, click the download button at the end of the row of the key.
When downloading a secret key, you need to specify the key passphrase twice.
|Delete||To delete a dedicated key, click the delete button at the end of the row of the key.|
PGP Keys Monitor: Key Details
You can view the key details by clicking on the corresponding key to show the deails.
The Key Details tab shows the following attributes for the selected key, additionally the actions for downloading and deleting the selected key are available in the key details.
Character sequence that identifies the public key.
A fingerprint is generated out of the public key applying a hash function on the public key.
User IDs associated with the key.
In the context of PGP, a user ID indicates the entity that uses the key to perform a dedicated action on the message content.
The user ID can be a name, an email address, or a combination of both.
This section shows a set of attributes for the key and (if defined) its subkeys.
The following attributes are displayed:
To protect the use of PGP Keys monitor, the following roles are available:
|Task||Role (Neo)||Role-Template (Cloud Foundry)|
|Add PGP keyring artifacts||NodeManager.deploysecuritycontent
|Undeploy PGP keyring artifacts||NodeManager.deploycontent
|Download PGP keyring artifacts||NodeManager.read
|Display PGP keyring artifacts||NodeManager.read||MonitoringDataRead|
Planned Iterations: PGP Key Monitor
- Upload/Download PGP Keyrings: Operation on entire keyrings (Available: April 2022, Neo 5.35.x, CF 6.27.x)
- Display Key details: Display secret, public key details (Available: January 2023, Neo 5.43.x, CF 6.35.x)
- Single Key Operations: Add, Download, Delete single secret, public keys
Availability of the single key operations would retire the Manage Security Material secret, public key display and delete functionality (Available: April 2023, Neo 5.46.x, CF 6.38.x)
SAP Help: Managing PGP Keys
SAP Help: How OpenPGP Works
SAP Blog: Cloud Integration – Import and Export PGP Secret Key – Change PGP Secret Key Password