Subkey in PGP Encryption
We can use vendor provided PGP public key to do encryption and send the encrypted data/files to vendor. Once they receive it then they can use their Private Key to decrypt. Vendor can share their public key either in asc (Text) or gpg (Binary) extension. Most of the time Vendor’s public key hold both Certify, Sign and Encrypt key and then we have to use the appropriate Subkey. Let’s see how we can use Subkey in PGP Encryption.
When we use fingerprint of the public key then it will use default primary subkey.
We can check subkeys in provided public key, right click on the key and click details
Click on More Details…
We can see both Subkeys – Certify and Encrypt, where Certify is the primary key
To choose only Encrypt subkey we have to copy the ID of specific subkey – 83FDFC091D283082
Sometime Vendor use DSA algorithm for Certify, Sign and Elgamal for Encryption and if we use fingerprint then it will pick the DSA Subkey (which is primary) and this can lead to below error
Message : Can’t use DSA for encryption.
Error type : CRYPTO:ENCRYPTION
Element : mule-Flow/processors/1 @ mule:mule.xml:30 (Pgp encrypt)
Element XML : <crypto:pgp-encrypt doc:name=”Pgp encrypt” doc:id=”xxxxxxxx” config-ref=”Crypto_Pgp” keyId=”zzzzzz”></crypto:pgp-encrypt>
So in this case correct Subkey should be used instead of fingerprint.
We can see below such example – Public key which use DSA algorithm for Certify, Sign and Elgamal for Encryption
So let’s start with PGP Encryption – We need two things to encrypt in MuleSoft
- Public Key in gpg format
- Fingerprint – Subkey ID which we want to use
For this POC we will use Public key we created in our earlier Tutorial – Generate Private Public PGP key
Let’s create a project in MuleSoft
Add the Crypto connector in Mule Palette – Checkout this tutorial on how to add module in Anypoint studio – Add Module In Anypoint Studio
Drag and drop PGP encrypt and Logger into the flow
Add Public_4232E6BD7151FF89D9F755807AC70C45987C59AA.gpg – PGP public key in resources
Click on PGP encrypt connector and click on add configuration
Populate Public keyring with Public key name we place in resources
- Click Add symbol to add fingerprint detail
- Add Key id and Subkey as Fingerprint
Click Finish
Add the same Key Id in Key Selection Box
In logger we will capture the encrypted payload
Now run the application and test the endpoint in SOAP UI
We can see the encrypted details in response
We can cross check the encrypted message online – https://8gwifi.org/pgpencdec.jsp
PGP MuleSoft application – pgp-sample-service
PGP SOAP UI application – PGP-Sample-soapui-project