Skip to content

Instantly share code, notes, and snippets.

@wvpv

wvpv/SFMC-Bring-Your-Own-PGP-GPG-Keys-for-file-encryption.md

Created May 10, 2023 20:02
Show Gist options
  • Save wvpv/9af8d955c4ca2b88fc63616b9b5dc881 to your computer and use it in GitHub Desktop.
Save wvpv/9af8d955c4ca2b88fc63616b9b5dc881 to your computer and use it in GitHub Desktop.
Download ZIP
SFMC File Transfer Activity Encryption Keys
Raw
SFMC-Bring-Your-Own-PGP-GPG-Keys-for-file-encryption.md

SFMC File Transfer Activity Encryption Keys

SF Documentation: https://help.salesforce.com/articleView?id=sf.mc_overview_use_a_created_key_with_file_transfer_activities.htm&type=5

Concepts

Public key (or asymmetric) cryptography is a security scheme that uses pairs of related keys - each pair bears a unique public key and private key. Private keys are kept secret by the holders of the identity or access, while public keys can be shared. These key pairs are used for:

Encryption: Data is encrypted by a public key, and later decrypted by the corresponding private key. The public key cannot perform decrypt.

Signing: Data is signed by a private key to demonstrate that it was generated by the key holder, and is later validated by the corresponding public key. The public key cannot sign data.

Which in turn support these use cases:

  • Securing data in transit (e.g., File Transfer Activities): Data has encryption applied to it with a public key, then placed on an FTP. The service decrypts it with a private key so the data can be used. This article describes how keys are used in this scenario to support data encryption on the Marketing Cloud FTP service.
  • Authentication (e.g., key-based authentication): A user generates a key pair. The public key is saved on the server, and the user keeps the private key safe. To authenticate, the user signs a message ("I am user XYZ") with the private key. The server uses the corresponding public key to validate that the message is indeed from this user. The Marketing Cloud FTP service supports the use of key-based authentication.

File Encryption Key Requirements
Key type PGP or GPG (GnuPG)
Key format Armored ASCII (or simply ASCII or ASC)
Algorithm RSA
Key size 4096-bit recommended

Suggested Tools

Windows

MacOS

  • MacGPG (via GPGTools)
    • MacGPG is the core encryption engine and command line tool gpg and is bundled with the GPGTools suite.
    • During installation, click Customize and deselect all items besides MacGPG for a cleaner setup.
  • PGPTool

Working with GPG Keys

Generate GPG key pair

gpg --full-generate-key

  • Choose RSA, 4096-bit length, your choice of expiration, your choice of passphrase (not requird).
  • A name and email must be entered. These will be solely used to identify the key to the GPG tool.
  • A key pair will be generated and added to a local keychain. Keys must be exported for external use (e.g. on Marketing Cloud).

Export private key

gpg --output your-private-key.txt --armor --export-secret-key [email protected]

  • Replace [email protected] value with the identifier used in your key.
  • Ensure that only either a public key (when using File Transfer Activity to encrypt) or private key (when using activity to decrypt) is included in file.

Export public key

gpg --output your-public-key.txt --armor --export [email protected]

  • Replace [email protected] value with the identifier used in your key.
  • Ensure that only either a public key (when using File Transfer Activity to encrypt) or private key (when using activity to decrypt) is included in file.
  • The --armor switch outputs ASCII (binary is default). It is a reference to "ASCII armor" the PGP term for an encoding method similar to the more modern Base-64.

Import Keys to Keychain

gpg --import your-public-key.txt

  • Add a key to the local (outside of SFMC) keychain from a file.

Encrypt Files

gpg --encrypt -r "[email protected]" file-to-encrypt.txt

  • This takes the public key associated with the specified userid/email and encrypts the provided filename.
  • Useful for testing File Transfer Activity decryption.
  • A .gpg extension is appended to the original filename, as in file-to-encrypt.txt.gpg.

Decrypt Files

gpg --output file-to-encrypt.txt --decrypt file-to-encrypt.txt.gpg

  • File Transfer Activities can encrypt files in Safehouse while being moved to the Marketing Cloud FTP.
  • This can be used to ensure encryption has been configured properly.
  • GPG automatically identifies the correct private key to use from your keychain.

Verify Fingerprint with a Key File

gpg --with-fingerprint --show-keys your-public-or-private-key.txt

  • Fingerprints of public and private keys from the same pair are identical.
  • Inspect fingerprints to validate correct key usage.
  • Setup > Key Management displays the fingerprints of public keys.

Configure Keys In SFMC

Setup > Key Management

  • Ensure the appropriate key is installed in Marketing Cloud for the action desired.

For a Decrypting Files with a File Transfer Activity

  • Key Type: Asymmetric
  • Private Key: checked

For a Encrypting Files with a File Transfer Activity

  • Key Type: Asymmetric
  • Private Key: unchecked
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment