Setting Up PGP Transfers

TIBCO MFT Internet Server can use PGP to encrypt and decrypt files being transferred. PGP encryption and decryption can be defined in either the transfer definition or the server definition depending on whether you are doing an upload or a download, where the file is encrypted and whether you want to encrypt or decrypt the file.

Use the transfer definition in the following situations:

  • A transfer client is uploading a PGP encrypted file and you want to decrypt this file.

    For example, a transfer client uploads a PGP Encrypted file. The file should be decrypted and save in clear text on the MFT server. The PGP Information parameter in the transfer definition need to be configured to decrypt and verify the signature (if required).

  • A transfer client is downloading a file and you want to PGP encrypt the file downloaded by the client.

    For example, a transfer client downloads a file that must be PGP Encrypted. The clear text data need to be encrypted before the data is downloaded. The PGP Information parameter in the transfer definition need to be configured to encrypt and sign the file.

Use the server definition in the following situations:

  • A transfer client is uploading a clear text file and you want to encrypt this file on the target server.

    For example, you need to PGP encrypt a file before sending the file to a customer's SFTP server. The PGP Information parameter in the server definition need to be configured to encrypt and sign the file.

  • A transfer client is downloading a file that is PGP encrypted on the target server and you want to decrypt the file.

    For example, you need to receive and decrypt a PGP encrypted file from a customer's FTP server. The PGP Information parameter in the server definition need to be configured to decrypt and verify the signature (if required).

You can set up transfer definitions to decrypt PGP encrypted files uploaded to MFT or to encrypt clear text files downloaded from MFT.

Administration Steps to Follow When Uploading a PGP Encrypted File to a Target TIBCO MFT Platform Server

For this example, you upload a PGP encrypted file from a Windows system to a Linux system through TIBCO MFT Internet Server, which will decrypt the data and save a clear text file on the Linux system.
  1. The admin would have to add a PGP secret key (this includes the public key as well) to the PGP system keys and enable it. The public key needs to be sent to the client. The file should be encrypted with the MFT PGP Public key so that it can be decrypted by MFT using the MFT PGP System Key.
  2. Then the admin would navigate to Transfers > Add Transfer and configure the upload definition to the Linux server. And in the PGP Information section, configure the Decrypt parameter to decrypt the PGP file.
  3. You can also verify the incoming file's signature. If you do this, you need to get the public key associated with the System Key the client used to sign the file. Then go to Administrator > PGP Public Keys > Add PGP Public Key and associate the key with the Client user.

On the transfer user's machine is a file that is encrypted with the MFT public key. The transfer user would have had access to this public key to PGP encrypt the file. The transfer user would log into the transfer client and proceed to upload the file.

The file is then decrypted when it hits TIBCO MFT Internet Server using the MFT PGP secret key that the admin had configured earlier, and then the clear text data is sent to the Linux system.

Administration Steps to Set Up a Single PGP Encrypted File Download

  1. Click Administration > PGP Keys > PGP Public Keys > Add PGP Key, and add a PGP public key for the user that will be performing this transfer request.
  2. Set up a file transfer definition to download a file.

    When setting the Client File Name parameter in the file transfer definition, it is suggested that you use a file extension that the PGP software is familiar with to avoid errors. For example, with GPG the software will be expecting an encrypted file with the extension .gpg before it can decrypt it correctly. The alternative to this is the user change the file name that is downloaded through the transfer client.

    In the PGP Information section of the file transfer definition, clear the Encrypt check box and leave all other settings to defaults.

    The user would then log into the transfer client and download the file. It will be sitting in the directory in which it was downloaded to in an encrypted state for the user to decrypt at a later time with a PGP secret key.