The OpenPGP Connector supports encryption, decryption, signing, and verification according to the OpenPGP standard.
OpenPGP Connectors are the primary way that ArcESB supports protecting data within a flow. OpenPGP Connectors operating in Encode mode can encrypt and/or sign files, and OpenPGP Connectors operating in Decode mode can decrypt files and/or verify signatures. Encryption and signature verification require a public OpenPGP key, and decryption and signing require a private OpenPGP key. These keys must be imported into OpenPGP keyring files (.gpg) before use with the application.
This section contains all of the configurable connector properties.
Settings related to the core operation of the connector.
- Connector Id The static name of the connector. All connector-specific files are held in a folder by the same name within the Data Directory.
- Connector Description An optional field to provide free-form description of the connector and its role in the flow.
- Operation Whether the connector is encoding or decoding incoming files. Encoding includes encrypting and signing data, and decoding includes decrypting data and verifying signatures. The available settings of the connector will change depending on this setting.
Settings related to creating an OpenPGP message. Only available when encoding.
- Message Security Whether the connector should create an encrypted message, a signed message, or both a signed and encrypted message.
- Compression Whether the connector should compress the message before encrypting and/or signing it.
- Encryption Algorithm The symmetric algorithm to use when encrypting.
- Signature Algorithm The hash algorithm to use when signing.
- Compression Method The compression algorithm to use when compressing.
Settings related to the OpenPGP keys used by the connector. Encryption and Signing only available when encoding, Verification and Decryption only available when decoding.
- Encryption Key The UserId identifying the public key within a public keyring to use when encrypting. Import a public keyring file to view the available UserId’s.
- Signing Key The UserId identifying the private key within the secret keyring to use when signing. Import a secret keyring file to view the available UserId’s.
- Verification Key The UserId identifying the public key within the public keyring to use when verifying signatures. Import a public keyring file to view the available UserId’s.
- Decryption Key The UserId identifying the private key within the secret keyring to use when verifying signatures. Import a secret keyring file to view the available UserId’s.
- Passphrase When Encoding: the passphrase for the selected private signing key. When Decoding: the passphrase for the selected private decryption key.
Settings related to the automatic processing of files by the connector.
- Send Whether messages arriving at the connector will automatically be processed.
Settings related to the allocation of resources to the connector.
- Max Workers The maximum number of worker threads that will be consumed from the threadpool to process files on this connector. If set, overrides the default setting from the Profile tab.
- Max Files The maximum number of files that will be processed by the connector each time worker threads are assigned to the connector. If set, overrides the default setting from the Profile tab.
Settings that determine the folder on disk that files will be processed from, and where they will be placed after processing.
- Input Folder (Send) The connector can process files placed in this folder. If Send Automation is enabled, the connector will automatically poll this location for files to process.
- Output Folder (Receive) After the connector finishes processing a file, the result will be placed in this folder. If the connector is connected to another connector in the flow, files will not remain here and will instead be passed along to the Input/Send folder for the connected connector.
- Processed Folder (Sent) After processing a file, the connector will place a copy of the processed file in this folder if Save to Sent Folder is enabled. This copy of the file will not be passed along to the next connector in the flow.
Settings not included in the previous categories.
- ASCII Armor Whether ASCII-encoding should be applied to OpenPGP messages generated by the connector.
- Clear Signature Whether the OpenPGP signature should appear in clear text. Not applicable when encrypting messages.
- Send Filter A glob pattern filter that determines which files in the Send directory should be processed by the connector. Patterns will exclude matching files if the pattern is preceded by a minus sign:
Multiple patterns can be specified, comma-delimited, with later filters taking priority.
- Local File Scheme A filemask for determining local file names as they are downloaded by the connector. The following macros may be used to reference contextual information:
%ConnectorId%, %Filename%, %FilenameNoExt%, %Ext%, %ShortDate%, %LongDate%, %RegexFilename:%, %DateFormat:%.
As an example: %FilenameNoExt%_%ShortDate%%Ext%
- Parent Connector If set to a connector of the same type, this connector will inherit all settings from the Parent Connector unless directly overridden in the existing connector configuration.
- Log Subfolder Scheme Instructs the connector to group files in the Logs folder according to the selected interval. For example, the Weekly option instructs the connector to create a new subfolder each week and store all logs for the week in that folder. The blank setting tells the connector to save all logs directly in the Logs folder. For connectors that process many transactions, using subfolders can help keep logs organized and improve performance.
- Log Messages Whether the log entry for a processed file will include a copy of the file itself.
- Save to Sent Folder Whether files processed by the connector should be copied to the Sent folder for the connector.
Settings for specific use cases.
- Other Settings Allows configuration of hidden connector settings in a semicolon-separated list, like
setting1=value1;setting2=value2. Normal connector use cases and functionality should not require use of these settings.
When encoding files, each of the settings under Message Settings should be configured; these determine how the file will be encoded.
If encryption is required,
Encryption Key must be specified with a public encryption key. If signing is required,
Signing Key must be specified with a private signing key. To select the particular key in a keyring, Import the keyring file and then use the dropdown menu to select the appropriate UserId. To sign with a private key, the Passphrase setting must also be set with the passphrase required to access the private key.
The ASCII Armor advanced option can be enabled to ASCII-encode encrypted data so that it remains readable. The Clear Signature advanced option can be enabled if the signature should appear in clear text (note that this is not possible when encrypting the file).
Once these options are set, files sent to the input directory of the OpenPGP Connector will automatically be encoded according to the above settings.>
When decoding files, the connector will automatically attempt to determine what encryption and/or signature algorithms were applied, so it is not necessary to configure the connector for particular algorithms.
If decryption is required,
Decryption Key must be specified with the private decryption key (the private key that corresponds to the public key that was used to encrypt). If signature verification is required,
Verification Key must be specified with the public verification key (the public key that corresponds to the private key used to sign). To select the particular key in a keyring, Import the keyring file and then use the dropdown menu to select the appropriate UserId. To decrypt with a private key, the Passphrase setting must also be set with the passphrase required to access the private key.
Once these options are set, files sent to the input directory of the OpenPGP Connector will automatically be decoded: if it was encrypted it will be decrypted, and if it was signed the signature will be verified.
To create a key:
- Select Import/Export -> Create Key to begin creating a new OpenPGP key pair
- If the connector is in Encode mode, this can be found next to Signing Key
- If the connector is in Decode mode, this can be found next to Decryption Key
Enter the following information:
- User Id: Select at least FirstName or Email to create a key. The User Id for the key consists of the First Name, Last Name, and Email options in the key creation wizard.
- Passphrase: Enter a passphrase to protect the private key. The passphrase is used in the decrypt, encrypt, and sign operations.
- Key Encryption Algorithm and Key Signature Algorithm: Select the encryption algorithm that corresponds to the desired strength of your encryption. Select the signature algorithm that corresponds to the desired length of the hash of the message.
- Click Create Key. Keys are created in the
data/~Profiles/OpenPGPfolder relative to Application Directory.
When attempting to decode a GPG message using the OpenPGP connector, the error Unknown PGP Packet tag can appear on the Input tab and in the connector logs.
The GPG message has been encrypted with the AEAD cipher. AEAD is a new cipher that is still in draft, and ArcESB does not yet support it.
GPG messages encrypted in GPG 2.3.0 and later using keys created in GPG 2.3.0 and later will need to be encrypted using the following options to disable the cipher:
--force-mdc --rfc2440 --encrypt
GPG packets encrypted in earlier releases or encrypted in GPG 2.3.0 or later using keys created in prior releases are not affected.