Generate PGP Keys to Use in Oracle Integration

You can generate PGP keys to use in Oracle Integration. The FTP Adapter currently supports PGP keys with RSA algorithms. ECSDA and ED25519 algorithm keys are supported for signing and verification.

Generate the PGP Keys with RSA Algorithms

Perform the following steps to generate the PGP keys with RSA algorithms:

  1. Install GnuPG.
    • On Linux: 
      sudo apt-get install gnupg
    • On the Mac: 
      brew install gnupg
  2. Generate the PGP keys.
    gpg –-full-generate-key
    1. Select the RSA and RSA option (creates a key to use for both encryption and signing).

      Note:

      The default option is ECC (Elliptic-curve cryptography). ECC PGP keys are supported for signing/verification.
    2. Select the key size.
    3. Specify the expiration for the key.
    4. Enter details for key identification, when prompted.
  3. List the keys (with the fingerprint) you can use.
    gpg --list-keys
gpg --list-secret-keys
  4. Export the keys to a file.
    gpg --export -a keyid > publickeyname.key
gpg --export-secret-key -a keyid > privatekeyname.key
  5. Get details about the key (that is, what the key consists of).
    cat path_to_pgp_private.key | gpg --list-packets
  6. Understand the following about the output. 
    • :secret key packet: version 4, algo 1, created 1687877507, expires 0
      Where algo represents the public key algorithm:
      • 1 for RSA (Encrypt or Sign)
      • 2 for RSA Encrypt-Only
      • 3 for RSA Sign-Only
      • 19 reserved for ECDSA, and so on

        Note:

        19 is not supported. 
    • iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: C774580FF5CBDF79
      Where algo: represents the Symmetric-Key Algorithm:
      • 7 for AES with 128-bit key
      • 8 for AES with 192-bit key
      • 9 for AES with 256-bit key, and so on. 
    • digest algo 8, begin of digest d9 35

      Where digest algo represents Hash algorithm:

      • 8 for SHA256
      • 9 for SHA384
      • 10 for SHA512
      • 11 for SHA224

Approved/Unapproved Algorithms in FIPS mode:

The following command lists all supported algorithms by GnuPG. 
gpg --version
You can configure GPG keys from the command line. For example: 
gpg --gen-key --s2k-cipher-algo AES256 --cipher-algo AES256
The following algorithms are not approved for use in FIPS mode (FIPS 140-2):
  • Cipher algorithms (For data encryption and decryption): CAST5, CAMELLIA128, CAMELLIA192, CAMELLIA256, BLOWFISH, and TWOFISH
  • Message digest/hash algorithms: MD5 and RIPEMD
  • Digital signature and verification: RSA with keys smaller than 2048 bits
The following algorithms are approved for use in FIPS mode:
  • Cipher algorithms (For data encryption and decryption): AES128, AES192, AES256, and 3DES
  • Message digest/hash algorithms: SHA1, SHA256, SHA384, SHA512, and SHA224
  • Digital signature and verification: RSA with keys greater than 2048 bits