CompleteFTP supports PGP (Pretty Good Privacy) encryption and decryption of files and strings. This is commonly used in MFT workflows where trading partners exchange PGP-encrypted files via FTP or SFTP.
Important: PGP keys stored on folders are not applied automatically. To encrypt or decrypt files, you must write a JSS process trigger that calls the PGP functions. This gives you full control over when and how encryption is applied.
PGP keys are stored as properties on folders. You can set them via the Manager GUI or the command-line interface.
.asc, .gpg, or .pgp format).
PGP keys can also be set using the folder set command. The key must be provided as an armored
ASCII string with \n representing newlines:
completeftp folder set /MyFolder "PGPPublicKey=-----BEGIN PGP PUBLIC KEY BLOCK-----\n\n...\n-----END PGP PUBLIC KEY BLOCK-----" completeftp folder set /MyFolder "PGPPrivateKey=-----BEGIN PGP PRIVATE KEY BLOCK-----\n\n...\n-----END PGP PRIVATE KEY BLOCK-----"
When the pgp.encryptFile() or pgp.decryptFile() functions are called without an explicit key,
they search up the folder hierarchy from the file's location to find the nearest folder with a PGP key set.
This means you can set keys on a parent folder and all files within it and its subfolders will use those keys automatically.
A common use case is to automatically decrypt PGP-encrypted files when they are uploaded. To do this, create a JSS process trigger on the UploadFile event:
var path = event.filePath;
if (path.indexOf('.pgp', path.length - 4) !== -1) {
var outPath = path.substring(0, path.length - 4);
pgp.decryptFile(path, outPath);
}
This script checks if the uploaded file has a .pgp extension and, if so, decrypts it using the
private key found on the folder hierarchy. The decrypted file is written alongside the original with the
.pgp extension removed.
Similarly, you can encrypt files on upload. Set the PGP public key on the folder and use a trigger like:
var path = event.filePath;
if (path.indexOf('.pgp', path.length - 4) === -1) {
pgp.encryptFile(path, path + '.pgp');
}
The following methods are available on the global pgp object in JSS scripts:
| Method | Description |
|---|---|
pgp.encrypt(plaintext, publicKey) |
Encrypts a string. Returns an armored PGP message string. |
pgp.decrypt(ciphertext, privateKey, passphrase) |
Decrypts an armored PGP message string. Returns the plaintext. |
pgp.isEncrypted(file) |
Returns true if the file appears to be PGP-encrypted (detects both binary and ASCII-armored formats).
file can be a path string or a File object. |
pgp.encryptFile(inputFile, outputFile) |
Encrypts a file using the PGP public key found on the nearest ancestor folder.
If outputFile equals inputFile, the file is encrypted in place. |
pgp.decryptFile(inputFile, outputFile) |
Decrypts a file using the PGP private key found on the nearest ancestor folder.
If outputFile equals inputFile, the file is decrypted in place. |
pgp.encryptFileWithKey(inputFile, outputFile, publicKey) |
Encrypts a file using an explicitly provided armored public key string. |
pgp.decryptFileWithKey(inputFile, outputFile, privateKey, passphrase) |
Decrypts a file using an explicitly provided armored private key string and passphrase. |
PGP encryption is different from Encryption At Rest (EAR):