5 Key Considerations When Using PGP Encryption in File Transfer

November 24, 2013 Security and Compliance, MOVEit

When you’re moving files containing sensitive information, you want to make sure it’s encrypted and not available to prying eyes, whether the data is at rest or in motion. A proven way to protect files before, during, and after transfer is via PGP file encryption. In this post, I’ll go through key considerations for PGP, as well as the importance of integrity checking.

First a brief definition of PGP: this program for encryption and decryption uses a public key model. In this model, one party shares the key with other parties to encrypt the data, and then uses the private key to decrypt the data.

Now on to five areas to consider for PGP:

1) Don’t let PGP bog down processes. Perhaps your company wants to maintain its current processes involving PGP or needs to continue supporting PGP because your business partners use it. No matter how PGP is being used as part of the file-transfer process, it’s important to ensure that the process doesn’t get slowed down because of the signing, encryption, decryption and key exchange steps.

2) Make it easy to use PGP. Many PGP libraries – and the associated encrypting/decrypting process – are command-line driven. As a result, it can be tedious to use them. But some products allow you to manage PGP from a GUI, which is a desirable option for most organizations and users who need to manage the process.

3) Ensure interoperability. In addition, you want to ensure you can easily and securely share files with any company. To do that, you not only need to support their encryption method of choice, but all possible encryption libraries. The OpenPGP file encryption standard enables interoperability between most libraries, and is the preferred choice these days for PGP, so look for a solution that supports this.

4) PGP is optional. Organizations that adopt managed file transfer often recognize the ability to eliminate PGP encryption from the equation because they understand their files are being secured at the transport layer. That said, make sure your solution is using the strongest possible SSL or TLS ciphers during data transport.

5) Rule out file tampering. Part of ensuring files are securely transferred is to be able to validate that transferred files have not been compromised in any way either before, during or after transfer. Integrity checking uses hashing to verify that the file sent from the source is the same file received. In other words, it allows you confirm that the file’s contents have not changed between the time it was sent and received – or during its subsequent storage.

You can perform integrity checking when using PGP if the sender signs the data. Look for a solution that lets you log all authentication integrity-checking details so you have an audit trail.

Managed File Transfer & PGP
Advanced file transfer solutions take measures to address these concerns. Specifically, Managed File Transfer (MFT) systems can aid with PGP encryption and decryption by offering easy-to-use key management that allows administrators to import, export and create keys from a simple user interface. From there, these solutions should allow administrators to easily create automated processes with just a couple clicks to encrypt or decrypt files on a scheduled or event-driven basis. And they should make it possible to do all this while being fully audited and logged in one system.

Want to learn more about encryption, person-to-person file transfer, compliance, logging, and central management? Download this free eBook .

Steve Staden

Read next Managed File Transfer - What is it?