Using PGP Encryption to protect your data

Blog: Using PGP Encryption To Protect Your Data

In my career as IT Architect, I have often designed solutions to set up a communication channel with partner companies to exchange confidential information. Only providing a secure transport path does not seem to cut it.

by Leo Bink

In a previous blog entry, written by Jan Schoonderbeek, managed file transfer was highlighted as a solution for exchanging file-based data between organisations or between applications within an organisation. These tools can typically handle all sorts of protocols, modern and legacy and provide authentication to help ensure integrity. A managed file transfer solution if often chosen to complement an MQ or ESB. 

Transporting files between systems can be done in a secure manner and the integrity of the file can be guaranteed during transport if the proper transport mechanism is chosen. End-to-end integrity and ensuring that your file can only be read by the intended recipient, is another matter. 

Imagine your company requires you to be relocated to another country for a couple of years. Your employer has contracted a relocation service that will arrange housing, a work permit, visa for you and your family, a local driving license etc. To be able to fulfil their service the relocation service needs a copy of your passport, birth and marriage certificates etcetera. Simply emailing these documents means that a copy of your documents would most probably exist in your mail account (sent-items, synced to all your devices) and the mailbox of your relocation agent and lots of other systems where the email passes thru. Uploading your file thru a portal also does not guarantee that your data is only read by the intended recipient.

How can we ensure that the file I send can only be read by the intended recipient? By encrypting it – I hear you say. Yes indeed, but how do I then safely exchange the “key”?

Well, an answer to that question is: Use PGP. PGP stands for Pretty Good Privacy and was developed in 1991 by Phil Zimmerman. PGP is widely used in the industry to sign, encrypt and decrypt data.

For PGP to work, the intended recipient must have a key pair (a private and public key). The recipient provides you with the public key. With this public key and a random key, you encrypt the data (I intentionally simplify matters here). You then send the file to the intended recipient. The file can only be decrypted if the recipient has the other half of the key pair, the private key.

If you use PGP, you don’t need to worry too much about where your file is stored, how it is transported etc. The information can only be read by someone who can produce the private key. You can now rest assured that the copy of your password cannot be read by anyone else than the intended recipient.

Another feature of PGP is signing. This adds to the trust of the document you are sending. The recipient can verify that it is you that has signed the document.

GoAnywhere MFT Provides a PGP solution based on OpenPGP to encrypt, decrypt, sign and verify files. You can now automate all these tasks in your workflow to exchange files with your business partners, or easily create a secure upload portal for use cases as described above.