In SAP Cloud Integration, you can
upload a PGP secring.gpg for using secret keys in the
PGP decryption or
encryption step of your integration flow. The SAP help documentation describes how to
export and
import PGP public keys with the help of the Gnu Privacy Assistant. Yet, there are no details on how to export and import PGP secret keys. Here, we provide a step by step description on how to import and export PGP secret keys from a PGP secring deployed on your Cloud Integration tenant via the GPG command line tool. Furthermore, we also provide a description on how to change the password of a secret key.
Prerequisites
Export a PGP Secret Key
Download your PGP secret keyring from the Cloud Integration WEB UI using the Administrator user. The downloaded file must have the name "secring.gpg".
In case you got the PGP secret keyring "secring.gpg" from somewhere else (because you want to add the secret keys of this secring to the secring uploaded to your Cloud Integration tenant), you can use also the following steps to first export the secret keys and you can use the commands of the following chapter "Import PGP Secret Key" to import the secret keys.
- Enter the downloaded file secring.gpg into an empty directory. In the following, we assume that the directory path is given by C:/source.
- List the content of the secring with the following gpg command:
gpg --homedir=C:/source --list-secret-keys
Example output of the command:
...
C:/source/secring.gpg
---------------------
sec 2048R/BBB29842 2021-01-17
uid source <souce@source.com>
ssb 2048R/64FACE2B 2021-01-17
- Find out the uid (user ID) of the secret key you want to export. You can see the uid(s) of the secret keys from the output display of the previous command. In the example above, we only have one secret key with uid="source <souce@source.com>". We will use this uid in the following command.
- Export the secret key with the found uid with the following command into a file (below we use the file name "my-secret-key.pem"):
gpg --homedir=C:/source --armor --export-secret-key "source <souce@source.com" > my-secret-key.pem
You can now use the exported file "
my-secret-key.pem" in the following chapter to import the secret key into another PGP secring.
Import PGP Secret Key
You now need the secrete key file which was produced in a similar why as shown in the previous chapter "Export a PGP Secret Key". In the following, we assume that you have such kind of file with the name "
my-secret-key.pem" in the directory where you execute the gpg commands. Execute the following commands to import a PGP secret key into a PGP secret keyring with the name "secring.gpg". For example, you can get the secring.gpg by
downloading this file from your Cloud Integration tenant.
- Store the PGP secret keyring with the name "secring.gpg" into the empty directory C:/target. You can also choose another directory name but keep in mind that the following commands assume that the directory name is C:/target.
- List the secret keys which are already contained in the PGP secret keyring:
gpg --homedir=C:/target --list-secret-keys
Output Example of this command:
C:/target/secring.gpg
---------------------
sec 2048R/5D629E05 2021-01-17
uid target <target@target.com>
ssb 2048R/18A00B85 2021-01-17
- Import the secret key (as an example, we use the file "my-secret-key.pem" which contains the secret key):
gpg --homedir=C:/target --import my-secret-key.pem
Output Example of this command:
gpg: key BBB29842: secret key imported
gpg: key BBB29842: public key "source <souce@source.com>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: secret keys read: 1
gpg: secret keys imported: 1
- List the secret keys of the PGP secret keyring to check whether successful import was successful:
gpg --homedir=C:/target --list-secret-keys
Output example of the command:
C:/target/secring.gpg
---------------------
sec 2048R/5D629E05 2021-01-17
uid target <target@target.com>
ssb 2048R/18A00B85 2021-01-17
sec 2048R/BBB29842 2021-01-17
uid source <souce@source.com>
ssb 2048R/64FACE2B 2021-01-17
Once you’ve imported all the secret keys you need, you can use the PGP secret keyring file
secring.gpg for
uploading into the Cloud Integration tenant.
Note: All secret keys in the secret keyring must have the same password. If this is not the case, read the following chapter on how to change the password of a secret key in a PGP secret keyring.
Change Secret Key Password
In the following, we assume that you have a secret keyring with the name
secring.gpg in the folder
C:/target and that you want to change the password of a the secret key in this keyring.
We use the tool GNU Privacy Assistant which provides a UI.
Prerequisites:
Now execute the following steps:
- Execute run_gpa.bat in the folder C:/target. You will get the following UI:
- Select the private key for which you want to change the password and right-click it. From the menu, choose the option "Edit Private Key...". The following pop-up appears:
- Now, select “Change passphrase" and follow the instructions.
After you have adapted the passwords of the secret keys you can
upload the secring.gpg file to your Cloud Integration tenant.