PGP Encryption and Decryption for SFTP File Transfers

With the constant headlines of data breaches highlighting how literally millions of files have been compromised, organizations have been starting to pay more attention to cybersecurity. While protocols like SFTP use end-to-end encryption, some organizations want to add additional security wherever possible.

Because of this, there is a growing demand to be able to add additional encryption to files as an extra layer of security. There are several different types of encryption, with PGP encryption being one that's popular due to its simplicity and robustness. 

Here, we'll cover the basics of file encryption, how PGP encryption works, and how to use PGP encryption and decryption as part of a secure file transfer process. 

How does file encryption work?

File encryption is a complex and challenging topic, so we'll keep it to the very high-level basics and simplify it for explanation purposes. 

So what exactly does it mean for a file to be "encrypted'? 

File encryption involves encryption keys that keep information protected. And like with physical keys, only the right key can "unlock" an encrypted file. Keys can either be symmetric--meaning that the same key is used for both encryption and decryption--or asymmetric--where one unique key encrypts and another decrypts. The model used depends on the specific encryption standard. 

The specific way keys are generated involves complex mathematical functions, but what's important is that through these functions, a specific number is generated, which is used a "lock" for a file. The key--that one, specific number-- "unlocks" the file, and only the correct key can unlock it. And because that generated number is unfathomably large, the chances of anyone guessing it correctly is essentially 0. 

One of the most common and powerful file encryption methods is AES256 encryption. AES stands for Advanced Encryption Standard and 256 is the number of bits in that encryption standard. Why this matters in the most basic terms is that it would take approximately 2²⁵⁶  trial-and-error decryption attempts to be successful, which is such a massive number (115 quattuorvigintillion) that it's similar to the estimated number of atoms in the observable universe. 

Since breaking high-level encryption is all but impossible with current technology, most exploiters have shifted to social engineering instead; it's much easier to convince someone with the key to hand it over willingly than it is to guess which atom in the universe has the code. This means that file encryption isn't the weak point, and when encrypting files with something like PGP encryption, it's more important to prepare employees for emotional attacks than it is to worry about encryption being broken.  

What is PGP encryption? 

PGP stands for Pretty Good Privacy, which is a bit of a misnomer considering it provides encryption that has not been close to being brute-forced. It was created in 1991 as a way to encrypt both emails and files. PGP is primarily used for sending files to another person or organization where you want them to be able to decrypt the files. 

With PGP encryption, asymmetric encryption is used to encrypt a symmetric key, which is used to encrypt the data. What this means is that there are two keys for the encryption process, a public key and a private key. The public key is used to encrypt the files, but only the private key can decrypt the files. Like the names suggest, the public key can be shared with multiple parties so they can encrypt files, while the private key is kept secret and used to decrypt received files. 

How this works practically is that it helps guarantee that only the right person or organization receives the files before they can be read. If someone without the key somehow manages to get access to the file, they won't be able to do anything with it, as the file will be "locked". 

Overview of the PGP encryption process

1. Generate the PGP public and private key.
2. Send the public key to anyone you want to receive encrypted files from.
3. Any external party uses your public key to encrypt files. They send those encrypted files to you. 
4. You receive the encrypted files and use your private key to decrypt them. 
5. The files are now decrypted and can be acted on normally. 

PGP encryption in action

Suppose that Organization A needs to receive files from Company B, C, and D and wants to make sure no one else can get access to those files, even if they get hold of them. Organization A would generate a PGP encryption key and keep the private key, then give the same public key to Company B, C, and D. Those companies would each use the public key to encrypt files they send to Organization A. Then, when Organization A receives them, the private key would decrypt them and they would be readable. 

Even though only Organization A has the decryption key, the encryption protects all parties involved. Organization A can be certain that only they can read the file, while Companies B, C, and D can each be certain the files they send will only be usable to Organization A. 

If the companies also want to receive encrypted files from Organization A, they would then generate their own key pair for receiving files and share the public key with Organization A. 

Generating PGP key pairs

PGP was developed to be a free method to encrypt files, so there are multiple ways to generate key pairs.

Using an online tool

Websites like PGP Key Generator are free tools that can create key pairs with a choice of algorithm and key size, and also allow for expiry and password protection. When using PGP Key Generator, once you click to Generate Keys, the public and private keys will be displayed immediately and can be downloaded. This is all done client-side only so the website never sees the information. 

Using the command line

If you are uncomfortable with having keys generated from a website, you can also generate them directly from the command line. To do this, you'll first need to download software that can generate PGP keys like GnuPG (GPG). Once installed, you can use gpg commands to generate and manage PGP keys. 

You can generate a basic key from the command line like this

gpg --generate-key

For more configuration options, such as bit size configuration, use

gpg --full-generate-key

From there, you can use the export command to export an ASCII armored version of the keys to a file.

Exporting the public key

gpg -a --export [key id] > filename.asc

The -a is for ASCII armor to encode the key in a base64 encoded form. In this example, the key would be stored in a file called filename.asc

Exporting the private key

gpg --export-secret-keys

This will output the private key block directly to the CLI.

There are also many applications that can add a GUI to this process if you prefer not to generate them directly in the CLI. 

Encrypting and decrypting files with PGP

Once you have the keys, how do you encrypt and decrypt files with PGP? Like with generating keys, this can be done in the command line, but more commonly, you would use some sort of application to choose which files to encrypt. Many applications have this functionality available, so choose whichever works best for your use case. 

Whoever you want to receive PGP-encrypted files from will also need a method to decrypt the files, along with the public key you send them. 

Using PGP encryption and decryption for file transfers

When using PGP encryption and encryption for secure file transfers, the easiest method is to have your file transfer solution have this functionality included. Many Managed File Transfer platforms can encrypt or decrypt files as part of automated workflows so that you don't have to manually do the process each time. 

Usually, as part of the workflow you would add in your PGP Public and Private Key when receiving files. When sending encrypted files, you would include the other organization's Public Key. Ideally, you would simply add the keys where required and let the software handle the rest. 

Encrypting files via PGP is one method to increase security when transferring via the FTP protocol since it is unencrypted by default. Encrypting the files before sending them means that if anyone were to intercept the file it would be in a useless state. Bu,t you can also add PGP encryption to secure protocols like SFTP for another layer of security. 

Using automated PGP encryption and decryption with Couchdrop

PGP encryption is available in both Automations and File Actions in Couchdrop. You'll need to generate your PGP keys as Couchdrop doesn't generate the keys, but in the automation builder, you can add the keys you want to use directly in the builder as part of your workflow. 

Keep in mind that running an automation with only the PGP Encrypt File action will result in two copies of the file, one encrypted and the original, unencrypted one. If you don't need the unencrypted file at all, you can add a second step to the automation to delete the original file. 

PGP encryption and decryption can be added at any point of a workflow to accommodate a wide range of use cases. This is especially powerful when combined with Couchdrop's ability to transfer files directly to cloud storage platforms. 

To test Couchdrop's PGP encryption and description capabilities for yourself, you can try Couchdrop free for 14 days with no credit card or pre-trial demos required. Simply register for an account, connect your platforms, and find PGP options in File Actions and Automations as part of a workflow. Sign up and start your free trial now.