GPG

GPG stands for GNU Privacy Guard, which is an independent implementation of PGP.

PGP, or Pretty Good Privacy, was originally developed as freeware copyrighted under the GNU public license to provide the ability to securely share and transfer information with strong encryption.

PGP was later turned into a proprietary program.

GPG is a publicly licensed project of the OpenGPG Alliance, and is used interchangeably with PGP.

Unlike the strong at-rest encryption that Files.com already applies by default, GPG encryption is a separate encryption process applied using a public GPG key that you provide when enabling GPG encryption for a folder.

Once files are encrypted with your public key upon upload, they can only be decrypted using the corresponding private key - a key that only you control.

This renders your files unreadable by anyone - even Files.com - without the corresponding private key needed to decrypt the files.

GPG is performed as a post-processing step after upload. As part of the file upload process, if a file requires post-processing, the file is initially placed into a locked and quarantined container, instead of into its destination folder. The file is then streamed from the locked, quarantined container and GPG encryption is applied "on the fly" as the file is written to its destination folder. The original unencrypted file is never stored on Files.com and the original file is completely unavailable for any actions (other than delete) until the post-processing is complete.

After the GPG encryption or decryption is applied then the original file is purged from the locked and quarantined container.

You will see the file appear in list requests via certain interfaces (such as FTP, SFTP, and some other integrations) during this state. We intend to soon enhance our web interface and Desktop app to provide special icon/color indications when a file is in this locked state, as well as some indication of the status of the post-processing step. Please be assured that despite appearing in a list, the file is completely unavailable for any actions (other than delete) until the post-processing GPG encryption or decryption is complete.

Files.com currently is only able to perform GPG Encryption and Decryption on files with a maximum size of 1 GB. This is due to limitations with how we host the GPG Application in the cloud. We are interested to learn more about the use case of any customers who need GPG for very large files

Files.com does not currently support GPG Signing.

When decrypting, files that are both encrypted and signed will fail to decrypt. When encrypting, files will only be encrypted and cannot be signed.

Files.com site administrators can enable GPG encryption on a per-folder basis.

Enabling GPG encryption for a particular folder also means that files uploaded to any subfolders within that folder will be automatically encrypted unless you explicitly disable the folder setting on a subfolder.

GPG encryption requires a GPG/PGP key pair. You can generate this GPG/PGP key pair using the appropriate GPG software for your operating system; see our steps for Windows, MacOS and Linux below. You can also choose to securely generate the key pair in your browser while setting up GPG encryption. You can use a different pair of public and private keys for each folder you enable encryption on.

If you are providing your own key pair:

1. Navigate to the folder where you would like to enable GPG encryption, and click on the Folder Settings button at the upper right of the page.
2. Navigate to the GPG encryption/decryption section and click to expand it.
3. Select the Yes, use GPG encryption on all files in this folder and its sub-folders option.
4. Within the Auto encryption section, enter a file suffix into the Suffix text box. This suffix will be appended to the original file name. For example, .gpg or .pgp.
5. Select the Use your own option for the key pair.
6. Paste the entire text of the Public Key into the Public key text box.
7. Choose the preferred Output format. Binary format is the default but you can also select ASCII Armor if you require text encoding instead.
8. Click the Save GPG button to save and apply the configuration to this folder.

If you are generating a new key pair:

1. Navigate to the folder where you would like to enable GPG encryption, and click on the Folder Settings button at the upper right of the page.
2. Navigate to the GPG encryption/decryption section and click to expand it.
3. Select the Yes, use GPG encryption on all files in this folder and its sub-folders option.
4. Within the Auto encryption section, enter a file suffix into the Suffix text box. This suffix will be appended to the original file name. For example, .gpg or .pgp.
5. Select the Generate in browser option for the key pair.
6. Enter your name in the Full name box.
7. Enter your email in the Email box.
8. If you'd like a passphrase for your new key, enter that. You can leave this option blank if you wish to have no passphrase to protect the private key.
9. Click the Generate key pair button.
10. If you would like to keep a copy of the public key, select all of the text in the Public key text box and copy it into a file.
11. Choose the preferred Output format. Binary format is the default but you can also select ASCII Armor if you require text encoding instead.
12. Click the Save GPG button to save and apply the configuration to this folder.
13. Click the Download Private Key button to save your private key to your computer.

Every file uploaded to this folder or its subfolders will now be encrypted using the supplied public key.

Note: When enabling GPG encryption on a folder, files that were uploaded to the folder prior to enabling the setting will not be automatically encrypted. You can re-upload those files to have GPG encryption applied to them.

Files.com site administrators can enable GPG decryption on a per-folder basis.

Enabling GPG decryption for a particular folder also means that files uploaded to any subfolders within that folder will be automatically decrypted unless you explicitly disable the folder setting on a subfolder.

GPG decryption requires a GPG/PGP key pair. You can generate this GPG/PGP key pair using the appropriate GPG software for your operating system; see our steps for Windows, MacOS and Linux below. You can also choose to securely generate the key pair in your browser while setting up GPG decryption. You can use a different pair of public and private keys for each folder you enable decryption on.

If you are providing your own key pair:

1. Navigate to the folder where you would like to enable GPG decryption, and click on the Folder Settings button at the upper right of the page.
2. Navigate to the GPG encryption/decryption section and click to expand it.
3. Select the Yes, use GPG decryption on all files in this folder and its sub-folders option.
4. Within the Auto decryption section, enter a file suffix into the Suffix text box. This suffix will be removed from the uploaded file name. For example, .gpg or .pgp.
5. Select the Use your own option for the key pair
6. Paste the entire text of the Public Key into the Public key text box
7. Paste the entire text of the Private Key into the Public key text box
8. (Optional) Select the "Ignore MDC integrity check" option if you wish to ignore any Modification Detection Code errors.
9. Click the Save GPG button to save and apply the configuration to this folder.

If you are generating a new key pair:

1. Navigate to the folder where you would like to enable GPG decryption, and click on the Folder Settings button at the upper right of the page.
2. Navigate to the GPG encryption/decryption section and click to expand it.
3. Select the Yes, use GPG decryption on all files in this folder and its sub-folders option.
4. Within the Auto decryption section, enter a file suffix into the Suffix text box. This suffix will be removed from the uploaded file name. For example, .gpg or .pgp.
5. Select the Generate in browser option for the key pair.
6. Enter your name in the Full name box.
7. Enter your email in the Email box.
8. If you'd like a passphrase for your new key, enter that. You can leave this option blank if you wish to have no passphrase to protect the private key.
9. Click the Generate key pair button.
10. If you would like to keep a copy of the public key, select all of the text in the Public key text box and copy it into a file.
11. (Optional) Select the "Ignore MDC integrity check" option if you wish to ignore any Modification Detection Code errors.
12. Click the Save GPG button to save and apply the configuration to this folder.
13. Click the Download Private Key button to save your private key to your computer.

Files.com will attempt to decrypt every file uploaded to this folder or its subfolders using the supplied key pair. If a file cannot be decrypted then it will remain in its original form. Only files that were encrypted with the matching Public Key will be decrypted. If the Public Key has expired then decryption cannot be performed.

To avoid non-encrypted files being uploaded into a decryption folder, you can use the Folder Setting for Limit uploaded files to certain extensions so that only PGP or GPG files will be allowed.

Note: When enabling GPG decryption on a folder, files that were uploaded to the folder prior to enabling the setting will not be automatically decrypted. You can re-upload those files to have GPG encryption applied to them.

You can generate a GPG/PGP key pair using your browser while setting up automated encryption or decryption. This secure process takes place only within your browser, and the private key is never uploaded to Files.com servers.

You'll create the key pair while configuring automatic encryption or decryption for a folder:

1. Navigate to the folder where you would like to enable GPG decryption or decryption, and click on the Folder Settings button at the upper right of the page.
2. Navigate to the GPG encryption/decryption section and click to expand it.
3. Select either the Yes, use GPG decryption on all files in this folder and its sub-folders option or the Yes, use GPG encryption on all files in this folder and its sub-folders option.
4. Select Generate in browser.
5. Enter your full name
6. Enter your email address
7. If you'd like a passphrase for your new key, enter that. This is optional. You can leave this option blank if you wish to have no passphrase to protect the private key.
8. Click the Generate key pair button. You'll be able to view the public key before you continue to the next step. If you would like to keep a copy of the public key, select all of the text and copy it into a file.
9. Finish setting up your encryption or decryption, depending on your choice in step 3.
10. Click Save GPG.
11. In the popup window, click Download Private Key to save the private key.

The GPG app we will use for this tutorial is the Gpg4win app suite. You can learn about and download the app on the Gpg4win site. The installer will install an app called Kleopatra, which is a key management app that can be used to generate key pairs and to import private keys provided to you by others for the purpose of decrypting files.

The steps we're going to follow are:

1. Download and install Gpg4win
2. Use the Kleopatra app to generate a new GPG/PGP key pair
3. Export the public and private portions of the new key pair

1. Download and install Gpg4win

Download and install Gpg4win from the official website: https://gpg4win.org/

2. Use the Kleopatra app to generate a new GPG/PGP key pair

Open the Kleopatra certificate manager app from the Windows Start menu.

Select the "File" menu then select the "New OpenPGP Key Pair" menu item.

Follow the on-screen instructions and enter your name and email address.

Select the "Protect the generated key with a passphrase" option. (This is optional. You can leave this option unselected if you wish to have no passphrase to protect the private key.)

Select "Advanced Settings..." and make sure, under the "Certificate Usage" section, that both "Signing" and "Encryption" are selected.

Select "OK" to start the key generation process. If prompted, enter a strong passphrase to protect your private key.

3. Export the public and private portions of the new key pair

Right-click on the newly created key and select "Export..." to export the public portion of the GPG/PGP key.

Right-click on the newly created key and select "Backup Secret Keys..." to export the private portion of the GPG/PGP key. If prompted, enter the passphrase for the key.

You can open and view the exported files using a text editor or viewer such as Notepad.

Your public key is the entire contents of the text that begins with: -----BEGIN PGP PUBLIC KEY BLOCK----- and ends with: -----END PGP PUBLIC KEY BLOCK-----

Your private key is the entire contents of the text that begins with: -----BEGIN PGP PRIVATE KEY BLOCK----- and ends with: -----END PGP PRIVATE KEY BLOCK-----

The GPG app we will use for this tutorial is GPG Suite. You can learn about and download this toolset from the official GPG Tools site. Download and install the app just as you do any other app for macOS. The installer will install an app called GPG Keychain. Once installation is complete, you can launch the app from your Launchpad or double click it in your Applications folder.

GPG Keychain opens to a window showing a list of current keys (one will appear by default, created by the GPG Tools team - leave that there).

To generate a new key pair, click on the New key icon in the upper left corner of the window.

Fill in the information form and choose a strong password.

NOTE: Be sure to keep a record of the password in a safe place such as a password manager, as this will be required to decrypt files using this keypair.

GPG Keychain will allow you to proceed with the key generation without using a password, but this is less secure.

When you have the form data entered, click the Generate Key button to finish the process.

Your new keys will appear in the list.

To copy your public key, select the key by name by clicking on it in the list view, then click the Export key icon in the upper left corner. GPG Keychain will prepare to export an .asc file containing your public key (you can also check the box to include the private or "secret" key if you need to provide that to another person).

In the Save As window that appears, navigate to the location where you would like the exported .asc file to save, then click Save.

You will see an acknowledgement that the keys were exported.

Navigate to the location you chose to save the file.

Select the file and open it with TextEdit or a similar text editor.

You will see the public key (and the private/secret key below if you selected that option for the export).

Copy the entire public key block. The copied key can now be pasted into the Public key field by an administrator when enabling GPG Encryption on a Files.com folder.

This tutorial will show how to generate GPG keys using the GnuPG command line tools for Linux.

Run the command below from a terminal to install GnuPG.

On deb or apt based distributions (Debian, Ubuntu, Mint):

sudo apt install gnupg

On rpm or yum based distributions (Fedora, CentOS, RHEL):

sudo yum install gnupg

Run this command to generate your GPG key pair:

gpg --full-generate-key

At the prompt, specify the kind of key you want, or press ENTER to accept the default (RSA and RSA).

When prompted, enter your desired key size. We recommend the maximum of 4096.

Next, specify how long the key should be valid for, or press ENTER to have the key never expire, and verify that your selections are correct.

When prompted, enter your real name, email address, and an optional comment if desired. Confirm your entries are correct by typing O (for Okay) and pressing ENTER.

Lastly, type a secure passphrase to protect your GPG key when prompted.

Your GPG key pair is now generated. Note your key ID from the output:

gpg: key 1655A54E2B4AD8A9 marked as ultimately trusted

In the example above, the GPG key ID is 1655A54E2B4AD8A9.

Enter the command below to output your public key, replacing the example ID with your GPG key ID.

gpg --armor --export 1655A54E2B4AD8A9

Highlight and copy your GPG key, beginning with:

-----BEGIN PGP PUBLIC KEY BLOCK----- and ending with: -----END PGP PUBLIC KEY BLOCK-----

The copied key can now be pasted into the Public key field by an administrator when enabling GPG Encryption on a Files.com folder.

As a best practice, it is strongly encouraged to set expiration dates of less than two years on all of your GPG keys. Create reminders in your calendar of choice to update the expiration and replace the keys regularly.

When a GPG key for your account is about to expire, you will receive an automated email notification from Files.com titled Failures/Events that may need your attention.

When a key that is used for auto-encryption or auto-decryption has expired, uploads to the affected folders will be disabled until the key is replaced.

To resolve an expired GPG key issue in Files.com:

• Use the appropriate gpg utility to update the expiration date for your key
• Export the updated key
• Disable the auto-encryption/decryption setting using the expired key
• Enable Encryption or Decryption using your updated key

Files encrypted by PGP or GPG should include a Modification Detection Code (MDC) which is used to confirm the integrity of the file.

In current and modern versions of PGP and GPG (version 7 onwards), the MDC is included by default. Older versions (version 6 and earlier) did not include the MDC by default, but allowed it to be optionally added.

If you receive a PGP or GPG encrypted file that does not include the MDC then you will see the following error message in the logs and site alert emails:

File is gpg encrypted but is missing modification detection code (MDC): path/to/folder/encrypted_file.txt.pgp

This error means that the integrity of the file cannot be confirmed, and should be a cause for concern if data security is important to you.

We recommend that you contact your counterparty and ask them to include the MDC when encrypting files.

If your counterparty is using gpg to encrypt the file then they should use version 7 or later, which includes the MDC by default, or use the --force-mdc flag with older gpg versions to enforce the inclusion of the MDC.