How to use PGP encryption (Enterprise edition)

CompleteFTP supports PGP (Pretty Good Privacy) encryption and decryption of files and strings. This is commonly used in MFT workflows where trading partners exchange PGP-encrypted files via FTP or SFTP.

Important: PGP keys stored on folders are not applied automatically. To encrypt or decrypt files, you must write a JSS process trigger that calls the PGP functions. This gives you full control over when and how encryption is applied.

Setting up PGP keys on a folder

PGP keys are stored as properties on folders. You can set them via the Manager GUI or the command-line interface.

Using the Manager

  1. Select the folder in the folder tree.
  2. In the folder properties panel, expand the PGP Keys category.
  3. Click the ellipsis button (...) next to Public Key or Private Key.
  4. Select a PGP key file (commonly .asc, .gpg, or .pgp format).
  5. The key will be validated and imported. The cell will display the key's user ID and algorithm.
  6. To remove a key, click the delete button (X).

Using the command-line interface

PGP keys can also be set using the folder set command. The key must be provided as an armored ASCII string with \n representing newlines:

completeftp folder set /MyFolder "PGPPublicKey=-----BEGIN PGP PUBLIC KEY BLOCK-----\n\n...\n-----END PGP PUBLIC KEY BLOCK-----"
completeftp folder set /MyFolder "PGPPrivateKey=-----BEGIN PGP PRIVATE KEY BLOCK-----\n\n...\n-----END PGP PRIVATE KEY BLOCK-----"

Key inheritance

When the pgp.encryptFile() or pgp.decryptFile() functions are called without an explicit key, they search up the folder hierarchy from the file's location to find the nearest folder with a PGP key set. This means you can set keys on a parent folder and all files within it and its subfolders will use those keys automatically.

Automatic decryption on upload

A common use case is to automatically decrypt PGP-encrypted files when they are uploaded. To do this, create a JSS process trigger on the UploadFile event:

  1. Set the PGP private key on the upload folder (or a parent folder).
  2. Add a process trigger with the following settings:
  3. Use the following trigger script:
var path = event.filePath;
if (path.indexOf('.pgp', path.length - 4) !== -1) {
    var outPath = path.substring(0, path.length - 4);
    pgp.decryptFile(path, outPath);
}

This script checks if the uploaded file has a .pgp extension and, if so, decrypts it using the private key found on the folder hierarchy. The decrypted file is written alongside the original with the .pgp extension removed.

Automatic encryption on upload

Similarly, you can encrypt files on upload. Set the PGP public key on the folder and use a trigger like:

var path = event.filePath;
if (path.indexOf('.pgp', path.length - 4) === -1) {
    pgp.encryptFile(path, path + '.pgp');
}

JSS PGP API reference

The following methods are available on the global pgp object in JSS scripts:

Method Description
pgp.encrypt(plaintext, publicKey) Encrypts a string. Returns an armored PGP message string.
pgp.decrypt(ciphertext, privateKey, passphrase) Decrypts an armored PGP message string. Returns the plaintext.
pgp.isEncrypted(file) Returns true if the file appears to be PGP-encrypted (detects both binary and ASCII-armored formats). file can be a path string or a File object.
pgp.encryptFile(inputFile, outputFile) Encrypts a file using the PGP public key found on the nearest ancestor folder. If outputFile equals inputFile, the file is encrypted in place.
pgp.decryptFile(inputFile, outputFile) Decrypts a file using the PGP private key found on the nearest ancestor folder. If outputFile equals inputFile, the file is decrypted in place.
pgp.encryptFileWithKey(inputFile, outputFile, publicKey) Encrypts a file using an explicitly provided armored public key string.
pgp.decryptFileWithKey(inputFile, outputFile, privateKey, passphrase) Decrypts a file using an explicitly provided armored private key string and passphrase.

Differences from Encryption At Rest

PGP encryption is different from Encryption At Rest (EAR):