Using GNU Privacy Guard and OpenPGP to Automatically Decrypt SFTP Files
Datica Alumni — Former Healthcare Integration Engineer
Why is encryption important?
HIPAA compliance has requirements for the transfer and storage of Protected Health Information (PHI). Standard SSH file transfer can securely transfer data onto the Datica Platform. However, the files need to be encrypted at rest on the SSH sender’s storage volume before being doubly encrypted/decrypted during the SSH transfer.
While you can manage part of your encryption for transfer yourself, you still need to have a method for encrypting storage volumes, containers, and the data transferred between those services. Datica’s platform meets those requirements for everything, once the data makes it onto the platform (HITRUST-audited policy 17.9).
What is GnuPG and OpenPGP?
The GNU Privacy Guard (GnuPG) is a free implementation of the OpenPGP standard (also known as RFC 4880, as defined by the Internet Engineering Task Force).
OpenPGP is the most widely used email encryption standard. It is available on all major platforms, including MacOS, Windows, GNU, Linux, Android, and iOS. OpenPGP is the way to go when you need a free and open source tool to encrypt files, especially across multiple different platforms.
GPG Keychain Clients and CLI
The keychain client I use is GPG Suite 2017.1. This is a simple tool for managing keys for different projects. You can import another party’s public key, a private key you created elsewhere, or generate new public and private key pairs within the client. After installing a keychain client, you will also need to make sure you have installed the GNU core utilities.
- Using the GPG command line interface to generate a brand new key: $ gpg –gen-key
- Importing an existing GPG key:
$ gpg --import gpg/<keyfile>.asc - GPG keys will have two parts if you generate them yourself — public and private. If you’re importing one provided by another party, you will likely only have the public half of the key.
-----BEGIN PGP PUBLIC KEY BLOCK----- ... ... ... -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PRIVATE KEY BLOCK----- ... ... ... ----END PGP PRIVATE KEY BLOCK-----
Using a key to encrypt and decrypt files
- Encrypting an existing file with your GPG key:
$ gpg --encrypt -r <recipient or ID for public key> <filename> - Decrypting an existing (already encrypted file):
$ gpg --decrypt <filename> - You can also lock down your key to require a password for use, specify an output file for the decrypted contents, and flag to skip prompting the user for those values:
gpg --passphrase-file <fileContaingPassword> --output <fileToWriteOutput> --no-use-agent --decrypt <fileToBeDecrypted>
Automation
Example situation: you have an SFTP endpoint where another party will be dropping encrypted files. You provide them with the public half of your GPG with which to encrypt files, and then you set up your private key alongside your SFTP receiver to decrypt the files later on. You won’t want to do this manually, so just set up a scheduled task to handle this for you.
- Drop location for inbound, encrypted file:
/foo/inbox/file.gpg - Adding your GPG key file password (optional):
/foo/gpg/password.txt - Drop location for decrypted file:
/foo/outbox/decryptedfile - Drop location for already processed inbox file:
/foo/recycling/file.gpg - Build a script to pick up the encrypted file and use the GPG key and password to decrypt the file again.
#!/bin/bash
cd /foo/inbox
for FILE in ./*.gpg; do
echo "Original file: $FILE"
echo "Decrypted file: ${FILE%.gpg}"
gpg --passphrase-file ../gpg/password.txt --output "${FILE%.gpg}" --no-use-agent --decrypt "$FILE"
mv --backup=numbered "$FILE" "../recycling"
mv --backup=numbered "${FILE%.gpg}" "../outbox/"
done
Then, all that’s left is to set up a Cron schedule for this script to run periodically.
