The OpenPGP Connector supports encryption, decryption, signing, and verification according to the OpenPGP standard.
OpenPGP Connectors are the primary way that ArcESB supports protecting data within a flow. OpenPGP Connectors operating in Encode mode can encrypt and/or sign files, and OpenPGP Connectors operating in Decode mode can decrypt files and/or verify signatures. Encryption and signature verification require a public OpenPGP key, and decryption and signing require a private OpenPGP key. These keys must be imported into OpenPGP keyring files (.gpg) before use with the application.
This section contains all of the configurable connector properties.
Settings related to the core operation of the connector.
- Operation Whether the connector is encoding or decoding incoming files. Encoding includes encrypting and signing data, and decoding includes decrypting data and verifying signatures. The available settings of the connector will change depending on this setting.
Settings related to creating an OpenPGP message. Only available when encoding.
- Message Security Whether the connector should create an encrypted message, a signed message, or both a signed and encrypted message.
- Compression Whether the connector should compress the message before encrypting and/or signing it.
- Encryption Algorithm The symmetric algorithm to use when encrypting.
- Signature Algorithm The hash algorithm to use when signing.
- Compression Method The compression algorithm to use when compressing.
Settings related to the OpenPGP keys used by the connector. Encryption and Signing only available when encoding, Verification and Decryption only available when decoding.
- Home Directory The directory where the OpenPGP keyrings are stored.
- Encryption Key The UserId identifying the public key within a public keyring to use when encrypting. Import a public keyring file to view the available UserId’s.
- Signing Key The UserId identifying the private key within the secret keyring to use when signing. Import a secret keyring file to view the available UserId’s.
- Verification Key The UserId identifying the public key within the public keyring to use when verifying signatures. Import a public keyring file to view the available UserId’s.
- Decryption Key The UserId identifying the private key within the secret keyring to use when verifying signatures. Import a secret keyring file to view the available UserId’s.
- Passphrase When Encoding: the passphrase for the selected private signing key. When Decoding: the passphrase for the selected private decryption key.
Settings related to the automatic processing of files by the connector.
- Send Whether messages arriving at the connector will automatically be processed.
Settings that determine the folder on disk that files will be processed from, and where they will be placed after processing.
- Input Folder (Send) The connector can process files placed in this folder. If Send Automation is enabled, the connector will automatically poll this location for files to process.
- Output Folder (Receive) After the connector finishes processing a file, the result will be placed in this folder. If the connector is connected to another connector in the flow, files will not remain here and will instead be passed along to the Input/Send folder for the connected connector.
- Processed Folder (Sent) After processing a file, the connector will place a copy of the processed file in this folder if Save to Sent Folder is enabled. This copy of the file will not be passed along to the next connector in the flow.
Settings related to the allocation of resources to the connector.
- Max Workers The maximum number of worker threads that will be consumed from the threadpool to process files on this connector. If set, overrides the default setting from the Profile tab.
- Max Files The maximum number of files that will be processed by the connector each time worker threads are assigned to the connector. If set, overrides the default setting from the Profile tab.
Settings not included in the previous categories.
- ASCII Armor Whether ASCII-encoding should be applied to OpenPGP messages generated by the connector.
- Clear Signature Whether the OpenPGP signature should appear in clear text. Not applicable when encrypting messages.
- Send Filter A glob pattern filter that determines which files in the Send directory should be processed by the connector. Patterns will exclude matching files if the pattern is preceded by a minus sign:
Multiple patterns can be specified, comma-delimited, with later filters taking priority.
- Local File Scheme A filemask that determines how local files processed by the connector are named.
- Parent Connector If set to a connector of the same type, this connector will inherit all settings from the Parent Connector unless directly overridden in the existing connector configuration.
- Log Messages Whether the log entry for a processed file will include a copy of the file itself.
- Save to Sent Folder Whether files processed by the connector should be copied to the Sent folder for the connector.
When encoding files, each of the settings under Message Settings should be configured; these determine how the file will be encoded.
The Home Directory setting must be set to the directory containing the appropriate OpenPGP keyring file(s). If encryption is required, this directory must contain a public keyring file with the public encryption key. If signing is required, this directory must contain a secret keyring file with the private signing key. To select the particular key in a keyring, Import the keyring file and then use the dropdown menu to select the appropriate UserId. To sign with a private key, the Passphrase setting must also be set with the passphrase required to access the private key.
The ASCII Armor advanced option can be enabled to ASCII-encode encrypted data so that it remains readable. The Clear Signature advanced option can be enabled if the signature should appear in clear text (note that this is not possible when encrypting the file).
Once these options are set, files sent to the input directory of the OpenPGP Connector will automatically be encoded according to the above settings.>
When decoding files, the connector will automatically attempt to determine what encryption and/or signature algorithms were applied, so it is not necessary to configure the connector for particular algorithms.
The Home Directory setting must be set to the directory containing the appropriate OpenPGP keyring file(s). If decryption is required, this directory must contain a secret keyring file with the private decryption key (the private key that corresponds to the public key that was used to encrypt). If signature verification is required, this directory must contain a public keyring file with the public verification key (the public key that corresponds to the private key used to sign). To select the particular key in a keyring, Import the keyring file and then use the dropdown menu to select the appropriate UserId. To decrypt with a private key, the Passphrase setting must also be set with the passphrase required to access the private key.
Once these options are set, files sent to the input directory of the OpenPGP Connector will automatically be decoded: if it was encrypted it will be decrypted, and if it was signed the signature will be verified.
To create a key:
- Select Import/Export -> Create Key to begin creating a new OpenPGP key pair
- If the connector is in Encode mode, this can be found next to Signing Key
- If the connector is in Decode mode, this can be found next to Decryption Key
Enter the following information:
- User Id: Select at least FirstName or Email to create a key. The User Id for the key consists of the First Name, Last Name, and Email options in the key creation wizard.
- Passphrase: Enter a passphrase to protect the private key. The passphrase is used in the decrypt, encrypt, and sign operations.
- Key Encryption Algorithm and Key Signature Algorithm: Select the encryption algorithm that corresponds to the desired strength of your encryption. Select the signature algorithm that corresponds to the desired length of the hash of the message.
- Click Create Key. Keys are created in the Home Directory set in the Settings page for this connector.