Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
MarcoFreischlag
Advisor
Advisor

Introduction


SAP Cloud Integration PGP Keys Monitor enables you to manage PGP keyrings (secring, pubring).

  • The 3rd increment which is available with the 2023 April software update ((Neo 5.46.x, CF 6.38.x) will add single key operations to the PGP Monitor (upload, delete, download)

  • With the 2nd increment, which is made available with the 2023 January update (Neo 5.43.x, CF 6.35.x), the PGP Monitor is enhanced with the capability to display the key details

  • First version of the PGP Keys Monitor was made available with the 2022 April update (Neo 5.35.x, CF 6.27.x)


With previous SAP Cloud Integration releases, the PGP Secret Keyring and PGP Public Keyring were managed in the Cloud Integration Monitor section under Manage Security using the Security Material tile. Here, you had the option to upload, download, and delete secret and public keyrings.
SAP Cloud Integration manages only a single secret and a single public keyring which include the corresponding secret and public keys.

PGP Public Keyring (pubring): This artifact contains the public keys that enables the tenant to encrypt or verify messages using the Pretty Good Privacy (PGP) standard.

PGP Secret Keyring (secring): This artifact contains the PGP secret keys (also referred to as private keys) for the usage of Open Pretty Good Privacy (PGP). The private key enables the tenant to decrypt or sign messages.

Please see SAP Help - How OpenPGP Works.

PGP Keys Monitor


Now, a new PGP Keys Monitor is available on your SAP Cloud Integration tenant. To access it, go to the Monitor section and under Manage Security select the PGP Keys tile:



Overview PGP Keys


The PGP Keys monitor allows you to manage the public and private PGP keys.


 

A list of public and secret PGP keys is displayed in a table. For each artifact, the following attributes are displayed:































Attribute Description
User ID States the User ID of this PGP key.
Type Indicates whether the entry is a public PGP or a secret PGP key.
Key ID States the key ID.
Validity State Indicates the validity state. The following states are possible:

  • Valid: The PGP key is valid.

  • Critical: The PGP key expires within the next 14 days

  • Expired: The PGP key is no longer valid.


Valid Until Indicates the expiration date.
Modified On Indicates the date and time the entry was last modified.


PGP Keys Monitor: Actions



  • The current scope of the the PGP Key Monitor comprises the following features:

    • Uploading secret, public keyrings (single key and multiple keys)

    • Downloading secret, public keyrings (single key and entire keyring)

    • Deleting secret, public keys (single key)




Add


To upload public or secret keys, choose one of the following options:

  • Add --> Public Keys

  • Add --> Secret Keys



In the previous versions before adding a new secret or public keyring file, it was only possible to replace the entire existing keyring with the new one. This behaviour has been improved in a way that users can decide which upload option to be used.

Adding Secret, Public Keys

The selected keyring file can contain 1 or several PGP secret or public keys depending on the chosen action, but it can be either public or secret keys in one file.

The keys must be in one of the following formats:

  • Binary format (typical file extension: .gpg)

  • ASCII armored format (typical file extension: .asc)


Following Upload options are available:











Add

Adds the entries from the uploaded keyring. These are merged with the existing keys.

When you select the option Overwrite Existing Keys, existing entries are overwritten by uploaded entries with the same KeyId value.

Note:

A PGP key is considered identical to another one if the hexadecimal KeyId value of both keys matches. Note that there can be several distinct PGP keys with the same UserId.


Replace           

Replaces existing keyring including all keys with the uploaded one (same behaviour as in previous versions).

Replaces the whole keyring with the uploaded one (replaces only the keys that are already available).

You need to confirm the replacement of the existing keys.

WARNING: You will replace the entire keyring when adding a new one. Make sure that you keep your external backup.



After a successful upload, a dialog is displayed showing the summary of the added, removed, changed, and not imported keys, if there are any. If any keys were not uploaded, information is provided to explain why (for example, the key with the same key id already exists). The keys in the table refresh automatically. You can also manually refresh the list by clicking the refresh button.

 

Download


To download public or secret keys, choose one of the following options:

  • Download --> Public Keys

  • Download --> Secret Keys


This option will download the entire secret or public keyring.


To download a specific single key, choose the download icon.


In case that for a Key Id secret and public key exists, you must choose which one to download. For downloading the secret key, a passphrase is required to encrypt the key.

 

Delete


Deletion of single keys can be done from the overview; this functionality has been moved from the Manage Security Materials.


 

The following table provides more information on these actions:























Action Description
Add public key or secret keys

To add a public or secret keyring, select Add  Public or Secret Keys.

When adding a secret keyring, you need to specify the key passphrase.
Download To download an artifact, select the artifact in the table and choose Download Public Key or Secret Keys.
Download a single key

To download a dedicated key as a file, click the download button at the end of the row of the key.

When downloading a secret key, you need to specify the key passphrase twice.
Delete To delete a dedicated key, click the delete button at the end of the row of the key.


 

PGP Keys Monitor: Key Details


You can view the key details by clicking on the corresponding key to show the deails.


The Key Details tab shows the following attributes for the selected key, additionally the actions for downloading and deleting the selected key are available in the key details.



















Attribute Description
Fingerprint

Character sequence that identifies the public key.

A fingerprint is generated out of the public key applying a hash function on the public key.
User IDs

User IDs associated with the key.

In the context of PGP, a user ID indicates the entity that uses the key to perform a dedicated action on the message content.

The user ID can be a name, an email address, or a combination of both.

Examples:

  • A user ID associated with a public PGP key indicates the entity that receives the message encrypted with the public key.

  • A user ID associated with a secret PGP key indicates the entity that sends the encrypted message that is to be decrypted using the secret key.


PGP Keys

This section shows a set of attributes for the key and (if defined) its subkeys.


The following attributes are displayed:





  • ID: Key ID that uniquely identifies the key or sub key




  • Type: Indicates if this is a public or a secret key




  • Strength: The length of the key in bits




  • Usage (Key Flags): Shows for which activity the key is used, for example, for message encryption




  • Valid From, Valid Until: Indicates the expiration date




  • Modified On: Indicates the date and time the key was last modified






 

Authorizations


To protect the use of PGP Keys monitor, the following roles are available:




























Task Role (Neo) Role-Template (Cloud Foundry)
Add PGP keyring artifacts NodeManager.deploysecuritycontent
NodeManager.deploycontent
SecurityMaterialEdit
Undeploy PGP keyring artifacts NodeManager.deploycontent
NodeManager.deploysecuritycontent
SecurityMaterialEdit
Download PGP keyring artifacts NodeManager.read
NodeManager.readsecuritycontent
SecurityMaterialDownload
Display PGP keyring artifacts NodeManager.read MonitoringDataRead


Planned Iterations: PGP Key Monitor



  1. Upload/Download PGP Keyrings: Operation on entire keyrings (Available: April 2022, Neo 5.35.x, CF 6.27.x)

  2. Display Key details: Display secret, public key details (Available: January 2023, Neo 5.43.x, CF 6.35.x)

  3. Single Key Operations: Add, Download, Delete single secret, public keys
    Availability of the single key operations would retire the Manage Security Material secret, public key display and delete functionality (Available: April 2023, Neo 5.46.x, CF 6.38.x)


Further Information


SAP Help: Managing PGP Keys
SAP Help: How OpenPGP Works 
SAP Blog: Cloud Integration – Import and Export PGP Secret Key – Change PGP Secret Key Password
6 Comments