Skip to Content
Technical Articles
Author's profile photo Kris Chau

Maintaining Multiple Private PGP Keys in SAP Cloud Integration

Motivation – Recently we encountered a scenario where Cloud Integration technical team had to import new private PGP key. The steps are straight forward, just to import the secret PGP key 😊with the passphrase…. But, this actually raised a P1 because the existing secret keys were wiped off by the new key and hence failed the existing decryptions for the payroll files.

Thank God, team had the backup of all the keys.

Now the question is how to maintain multiple secret keys in Cloud Integration? Well, the steps are simple.

  • Download the secret key.
  • Open the downloaded key in a notepad (let’s call it Secret_Key1).
  • Create a new keypair using Kleopatra tool using the same passphrase of Secret_Key1 (let’s call it Secret_Key2).
  • Open Secret_Key2 in notepad. Copy the Private key and paste under Secret_Key1 private key.
  • Import back the Secret_Key1 with passphrase.

 

Let’s explore step wise…

Step1: Download the secret key.

Step2: Open the downloaded key in a notepad (let’s call it Secret_Key1).

Step3: Create a new keypair using Kleopatra tool using the same passphrase of Secret_Key1 (let’s call it Secret_Key2).

 

Step4: Open Secret_Key2 in notepad. Copy the Private key and paste under Secret_Key1 private key.

 

Step5: Import back the Secret_Key1 with passphrase.

 

Probable error: In case of different passphrase, while importing the keys you will encounter error as: The Private key with Key ID XXXXXXXXXX cannot be accessed with the provided password. Please adapt the password for this key.

Solution: All keys in the PGP Secret Keyring must have the same passphrase

 

Well, using above steps, we can maintain multiple secret PGP keys.

Any question or feedback will be appreciated!

Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo Martin Pankraz
      Martin Pankraz

      Thanks for sharing Kris Chau! Any comments on key revocation? Likely you needed to introduce a new one due to security reasons. How did you make sure, that new encryptions are possible with your old key? Regarding zero-trust-approaches, having the same passphrase even though the private key is different is not advisable. How about a enhancement request SAP Customer Influence?

      How about keeping the secrets outside of your CPI tenant for handling and automated synch towards all of your CPI tenants globally? One option would be the Azure KeyVault for instance. Have a look here about the synching aspect.

      KR

      Martin