Skip to main content

GPG Decryption

Files.com administrators can enable GPG decryption on a per-folder basis. When enabled for a folder, any files uploaded to that folder or its subfolders are automatically decrypted, unless you explicitly disable the setting in a subfolder.

Decryption requires a GPG/PGP private key. When you configure GPG decryption, you choose a Decryption Key Source that determines which private keys the folder can use. Files.com tries each candidate private key until one decrypts the file.

If Files.com cannot decrypt a file with the chosen private keys, the file remains unchanged. Only files encrypted with a matching public key can be decrypted. Files encrypted with expired public keys cannot be decrypted.

To prevent unencrypted files from being uploaded to a decryption folder, enable the Limit uploaded files to certain extensions folder setting to allow only .pgp or .gpg files.

When you enable GPG decryption, files that existed in the folder beforehand remain unchanged. To apply decryption to those files, re-upload them after enabling the setting.

Decryption Key Source

Use Any Matching Stored GPG Key lets decryption use any private GPG key in your site's GPG Key Manager, so you do not have to maintain a per-folder key list as you add or rotate keys. New decryption configurations use this source by default. Selecting it requires Site Administrator or Workspace Administrator privileges.

Select Specific GPG Keys restricts decryption to keys you choose for the folder. Use it when a folder should decrypt only files encrypted to a known set of keys. Selecting this source shows the key selection described below.

Within a workspace, decryption uses only private GPG keys from the same workspace, whichever source you choose.

Using Existing Keys From the GPG Key Manager

When you choose Select Specific GPG Keys, select one or more decryption keys from the available key list.

Provide a file suffix. Files.com removes this suffix from the uploaded file name. For example, .gpg or .pgp.

You can also enable the Ignore MDC integrity check option to bypass any modification detection code errors.

Providing Your Own Keys

Select Import from file... when choosing keys.

Enter a name to identify the key or key pair.

If the private key has a passphrase, enter it. Leave the field blank if there is no passphrase.

Creating a New Key Pair

Select Create new... when choosing keys.

Enter a name and email address for the new key.

Optionally, add a passphrase to protect the private key.

After generating the key pair, you can view and copy the public key before continuing.

Once saved, a popup displays the private key. Download and store it securely.

Error Notifications

Errors encountered while decrypting files are logged in the Site Alert Emails, which are sent to site administrators who have opted in to receiving these alerts.

Partial Files

If an encrypted file is partially uploaded so that an incomplete file is delivered, decryption fails. Make sure that your counterparties upload files completely.