GPG


Your files are secure on the Files.com platform by default. Files.com uses the latest encryption technologies to protect your files both in transit and at rest. However, sometimes counterparties or other compliance requirements dictate that you specifically use GPG or PGP encryption in addition to the encryption we provide.

That is why we offer the option for automatic GPG encryption or decryption of any file that arrives in a specific folder.

You can configure different folders to use different GPG keys, providing a customized level of encryption for each folder.

About GPG

GPG stands for GNU Privacy Guard, which is an independent implementation of PGP.

PGP, or Pretty Good Privacy, was originally developed as freeware copyrighted under the GNU public license to provide the ability to securely share and transfer information with strong encryption.

PGP was later turned into a proprietary program.

GPG is a publicly licensed project of the OpenGPG Alliance, and is used interchangeably with PGP.

How GPG Encryption works

Unlike the strong at-rest encryption that Files.com already applies by default, GPG encryption is a separate encryption process applied using a public GPG key that you provide when enabling GPG encryption for a folder.

Once files are encrypted with your public key upon upload, they can only be decrypted using the corresponding private key - a key that only you control.

This renders your files unreadable by anyone - even Files.com - without the corresponding private key needed to decrypt the files.

Exact Timing of Encryption and Decryption

GPG is performed as a post-processing step after upload. As part of the file upload process, if a file requires post-processing, the file is initially placed into a locked and quarantined container, instead of into its destination folder. The file is then streamed from the locked, quarantined container and GPG encryption is applied "on the fly" as the file is written to its destination folder. The original unencrypted file is never stored on Files.com and the original file is completely unavailable for any actions (other than delete) until the post-processing is complete.

After the GPG encryption or decryption is applied then the original file is purged from the locked and quarantined container.

You will see the file appear in list requests via certain interfaces (such as FTP, SFTP, and some other integrations) during this state. We intend to soon enhance our web interface and Desktop app to provide special icon/color indications when a file is in this locked state, as well as some indication of the status of the post-processing step. Please be assured that despite appearing in a list, the file is completely unavailable for any actions (other than delete) until the post-processing GPG encryption or decryption is complete.

File Size Constraints

Files.com currently is only able to perform GPG Encryption and Decryption on files with a maximum size of 1 GB. This is due to limitations with how we host the GPG Application in the cloud. We are interested to learn more about the use case of any customers who need GPG for very large files

Signing Constraints

Files.com does not currently support GPG Signing.

When decrypting, files that are both encrypted and signed will fail to decrypt. When encrypting, files will only be encrypted and cannot be signed.

Enabling GPG Encryption

Files.com site administrators can enable GPG encryption on a per-folder basis.

Enabling GPG encryption for a particular folder also means that files uploaded to any subfolders within that folder will be automatically encrypted unless you explicitly disable the folder setting on a subfolder.

To enable GPG encryption, you will first need to generate a GPG/PGP key pair. For detailed instructions, please see our tutorial on generating GPG keys. You can use a different public key for each folder you enable encryption on.

Once you have generated your GPG keys, log into the web interface as an administrator, and follow these steps:

  1. Navigate to the folder where you would like to enable GPG encryption, and click on the Folder Settings button at the upper right of the page.
  2. Navigate to the GPG encryption/decryption section and click to expand it.
  3. Select the Yes, use GPG encryption on all files in this folder and its sub-folders option.
  4. Within the Auto encryption section, enter a file suffix into the Suffix text box. This suffix will be appended to the original file name. For example, .gpg or .pgp.
  5. Paste the entire text of the Public Key into the Public key text box.
  6. Choose the preferred Output format. Binary format is the default but you can also select ASCII Armor if you require text encoding instead.
  7. Click the Save GPG button to save and apply the configuration to this folder.

Every file uploaded to this folder or its subfolders will now be encrypted using the supplied public key.

Note: When enabling GPG encryption on a folder, files that were uploaded to the folder prior to enabling the setting will not be automatically encrypted. You can re-upload those files to have GPG encryption applied to them.

Enabling GPG Decryption

Files.com site administrators can enable GPG decryption on a per-folder basis.

Enabling GPG decryption for a particular folder also means that files uploaded to any subfolders within that folder will be automatically decrypted unless you explicitly disable the folder setting on a subfolder.

To enable GPG decryption, you will first need to generate a GPG/PGP key pair. For detailed instructions, please see our tutorial on generating GPG keys. You can use a different pair of public and private keys for each folder you enable decryption on.

Once you have generated your GPG keys, log into the web interface as an administrator, and follow these steps:

  1. Navigate to the folder where you would like to enable GPG decryption, and click on the Folder Settings button at the upper right of the page.
  2. Navigate to the GPG encryption/decryption section and click to expand it.
  3. Select the Yes, use GPG decryption on all files in this folder and its sub-folders option.
  4. Within the Auto decryption section, enter a file suffix into the Suffix text box. This suffix will be removed from the uploaded file name. For example, .gpg or .pgp.
  5. Paste the entire text of the Public Key into the Public key text box.
  6. Paste the entire text of the Private Key into the Public key text box.
  7. Enter the password to the Private Key into the Private key password text box. If the Private Key was created with no password then you can leave this blank.
  8. Click the Save GPG button to save and apply the configuration to this folder.

Every file uploaded to this folder or its subfolders will now be attempted to be decrypted using the supplied key pair. If a file cannot be decrypted then it will remain in its original form. Only files that were encrypted with the matching Public Key will be decrypted. If the Public Key has expired then decryption cannot be performed.

Note: When enabling GPG decryption on a folder, files that were uploaded to the folder prior to enabling the setting will not be automatically decrypted. You can re-upload those files to have GPG encryption applied to them.

Generating GPG Keys on Windows

The GPG app we will use for this tutorial is the Gpg4win app suite. You can learn about and download this here. The installer will install an app called Kleopatra, which is a key management app that can be used to generate key pairs and to import private keys provided to you by others for the purpose of decrypting files.

Once the installation is complete and you see the Kleopatra icon on your desktop or app menu, double click to launch. Kleopatra will open to a window inviting you to create a new key pair.

Click the New Key Pair button and follow the wizard prompts to generate your key pair. The wizard will guide you through the steps until you get to the Finish step. Click Finish to create your key pair. The keypair with your name and email address will appear in the window. You can create as many key pairs as you need from File > New Key Pair.

To copy your public key, double click on the key name in the list, and click the Export button in the window that appears.

Your public key is the entire contents of the text that begins with:-----BEGIN PGP PUBLIC KEY BLOCK-----and ends with:-----END PGP PUBLIC KEY BLOCK-----

Right-click on the key contents and choose Select All, then right-click again and choose Copy to copy the entire block. The copied key can now be pasted into the Public key field by an administrator when enabling GPG Encryption on a Files.com folder.

Generating GPG Keys on macOS

The GPG app we will use for this tutorial is GPG Suite. You can learn about and download this toolset here. Download and install the app just as you do any other app for macOS. The installer will install an app called GPG Keychain. Once installation is complete, you can launch the app from your Launchpad or double click it in your Applications folder.

GPG Keychain opens to a window showing a list of current keys (one will appear by default, created by the GPG Tools team - leave that there).

To generate a new key pair, click on the New key icon in the upper left corner of the window.

Fill in the information form and choose a strong password.

NOTE: Be sure to keep a record of the password in a safe place such as a password manager, as this will be required to decrypt files using this keypair.

GPG Keychain will allow you to proceed with the key generation without using a password, but this is less secure.

When you have the form data entered, click the Generate Key button to finish the process.

Your new keys will appear in the list.

To copy your public key, select the key by name by clicking on it in the list view, then click the Export key icon in the upper left corner. GPG Keychain will prepare to export an .asc file containing your public key (you can also check the box to include the private or "secret" key if you need to provide that to another person).

In the Save As window that appears, navigate to the location where you would like the exported .asc file to save, then click Save.

You will see an acknowledgement that the keys were exported.

Navigate to the location you chose to save the file.

Select the file and open it with TextEdit or a similar text editor.

You will see the public key (and the private/secret key below if you selected that option for the export).

Copy the entire public key block. The copied key can now be pasted into the Public key field by an administrator when enabling GPG Encryption on a Files.com folder.

Generating GPG Keys on Linux

This tutorial will show how to generate GPG keys using the GnuPG command line tools for Linux.

Run the command below from a terminal to install GnuPG.

On deb or apt based distributions (Debian, Ubuntu, Mint):

sudo apt install gnupg

On rpm or yum based distributions (Fedora, CentOS, RHEL):

sudo yum install gnupg

Generate a GPG key pair

Run this command to generate your GPG key pair:

gpg --full-generate-key

At the prompt, specify the kind of key you want, or press ENTER to accept the default (RSA and RSA).

When prompted, enter your desired key size. We recommend the maximum of 4096.

Next, specify how long the key should be valid for, or press ENTER to have the key never expire, and verify that your selections are correct.

When prompted, enter your real name, email address, and an optional comment if desired. Confirm your entries are correct by typing O (for Okay) and pressing ENTER.

Lastly, type a secure passphrase to protect your GPG key when prompted.

Your GPG key pair is now generated. Note your key ID from the output:

gpg: key 1655A54E2B4AD8A9 marked as ultimately trusted

In the example above, the GPG key ID is 1655A54E2B4AD8A9.

Copy your GPG public key

Enter the command below to output your public key, replacing the example ID with your GPG key ID.

gpg --armor --export 1655A54E2B4AD8A9

Highlight and copy your GPG key, beginning with:

-----BEGIN PGP PUBLIC KEY BLOCK----- and ending with: -----END PGP PUBLIC KEY BLOCK-----

The copied key can now be pasted into the Public key field by an administrator when enabling GPG Encryption on a Files.com folder.

Troubleshooting

GPG Key is Expired

As a best practice, it is strongly encouraged to set expiration dates of less than two years on all of your GPG keys. Create reminders in your calendar of choice to update the expiration and replace the keys regularly.

When a GPG key for your account is about to expire, you will receive an automated email notification from Files.com titled Failures/Events that may need your attention.

When a key that is used for auto-encryption or auto-decryption has expired, uploads to the affected folders will be disabled until the key is replaced.

To resolve an expired GPG key issue in Files.com:

  • Use the appropriate gpg utility to update the expiration date for your key
  • Export the updated key
  • Disable the auto-encryption/decryption setting using the expired key
  • Enable Encryption or Decryption using your updated key

Get Instant Access to Files.com and Start Collaborating and Automating

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, fill out the short form on the next page, get your account activated instantly, and start setting up your Files and Workflows immediately.

Start My Free Trial

©2022 Files.com. All right reserved

FILES.COM

  • Start My Free Trial
  • Pricing
  • Docs
  • API and SDKs
  • Contact

CONTACT & SUPPORT

support@files.com

(800) 286-8372

Monday–Friday

9am–8pm Eastern