File Encryption and Signing Keys

For security, files exchanged with third parties may be encrypted, digitally signed or both. This requires the sender and recipient to maintain public/private key pairs and share public keys. The product supports the maintenance and generation of public and private keys in a format suitable for encryption using PGP standards.

The following sections provide additional information about encryption keys.

Encryption Key Pairs

Internal encryption key pairs are used in the following cases:

  • Creating a digital signature for an extract file. The signature is encrypted with the private key of the key pair and decrypted by the recipient using the shared public key .

  • Decrypting an import file. The expectation is that the sender has encrypted the file data using a temporary key. The temporary key is encrypted using the shared public key and decrypted using the private key.

The product provides an Encryption Key Pair business object that supports the following functions:

  • Generating a key pair, public and private. The private key is stored in an appropriate "secret store" and the public key is available to copy and share with a third party. Both keys are in formats suitable for PGP encryption.

  • Viewing the public key, allowing a user to copy it to register it with third parties.

  • Activating the new key pair (to be done after sharing the new public key).

  • Inactivating an expired key.

  • Key rotation. For increased security, a new key pair should be generated periodically.

  • Deactivating all keys for the key ring.

Public Encryption Keys

External public encryption keys are used in the following cases:

  • Verifying the signature of an imported file. The signature is decrypted using the public key provided by the sender.

  • Encrypting an extract file. The batch file adapters create a temporary key which is used to encrypt the file data. The temporary key is encrypted using the public key provided by the recipient

The product provides a Public Encryption Key business object that supports the following functions:

  • Defining the external system and reference ID related to the key ring.

  • Adding a public key to the key ring. The product expects the public key to be in a format suitable for PGP encryption.

  • Viewing the public key.

  • Inactivating an expired key.

  • Key rotation. When new public keys are provided by the external system, the previously active key is set to expiring status. It may be manually inactivated after all messages using that key have been processed.

  • Deactivating all keys for the key ring.