PGP Encryption: How does it work?
Asymmetric encryption uses two different keys to encrypt and decrypt each file, then two more keys to sign and verify each file. Both parties – sender and recipient – need to exchange their public keys before any transfer can take place. The sender encrypts the file using the recipient’s public key. The recipient decrypts the file using their private key. For integrity checking – to make sure the content hasn’t been tampered with – the sender uses their private key to ‘sign’ the encrypted file. For authentication – to check the sender is the sender you think it is – the recipient uses the sender’s public key to verify/validate the sender. PGP Clients will manage the encryption/decryption automaticallyand are often implemented in FTP servers or as email client add-ons to secure the communication. The exchange of the public keys, however, will always be a manual process. Any security is only as strong as its weakest point. Security-conscious organisations will usually physically exchange keys via a courier service, and set keys to expire (this is a bit like a password which expires and needs to be reset by the security team). But – as you will have gathered – the process of exchanging keys is time consuming.Most applications provide advance notice about expiring keys, so administrators can plan for the exchange to take place in advance. Some applications allow you to create sub-keys with pre-configured expiry dates, so that you can plan ahead and have several years of automatic key replacement, avoiding potential outages. We know of some Managed File Transfer solutions that manage this process very effectively. PGP provides encryption at rest or can be used to protect a file at a particular stagein an otherwise non-encrypted workflow. Let’s look at a recent example we discussed with a customer who had a PGP requirement for an accounts process. They needed to put files into a specific folder, where they would be PGP encrypted, then moved to another folder to be collected by the bank. This would by-pass a charge that the bank would otherwise make for the processes. This requirement was driven by the fact that the bank used PGP, and the businesses needed to comply in order to save money. There’s been some publicity in recent years about Open PGP and hacking fears. In summary, malicious attackers can “spam” a public key sitting on a key server, adding these attestations over and over again until the key itself becomes too unwieldy to use by some software. However, please be reassured this has no negative impact on your managed file transfer solution at all. When creating a transaction to move files between an MFT customer and an external customer, partner, supplier, or vendor it is always the two sides of the file transfer that coordinate the exchange of public keys, either through email or a file transfer protocol like SFTP. So since those public keys are not put onto a public Key Server, they will not have extraneous attestations attached to them, and both sides will be able to process the keys just fine.PGP and your file transfer solution
When to use PGP
The advantages of PGP
Disadvantages
PGP hacking fears
If you need to know more about secure file transfer protocols, encryption, or any other aspects of working with a Managed File Transfer (MFT) solution, take the Certified File Transfer Professional (CFTP). It is the only vendor-independent file transfer certification, equipping you with the knowledge you need to implement secure file transfer in your organisation. Alternatively, if you are investigating which solutions have PGP capabilities, opt for our free MFT Comparison Service. Answer a series of questions about your requirements and our experts will recommend the best solution.Next steps
