Sunday 12 October 2014

Basics : PGP Encryption

The use of encryption dates back to the days of Julius Caesar :) When he use to sent messages to his generals, he did not trust the messengers. So, he replaced every A in his message with D, ever B with E and so on (which is basically shift by 3 encoding). Here 'Shift by 3' is the key to understand his messsage.

you must be wondering, why are you telling all these history lessons to a  workday consultant like me?

Sorry if I bored you with that stuff. What I really wanted to do is to emphasize the importance of encryption while sending messages out of our network. In ERPs like Workday where we deal with very sensitive HR information, organizations take this aspect very seriously. 

Workday provides us PGP encryption facility for all the file exchanges we do with other systems. PGP basically stands for Pretty Good Privacy (shocked ? Even I was :)) The general recommendation is to use PGP encryption for all the file exchanges outside of the oorganization network. But as long as you are using SFTP which is already secure, PGP becomes optional.

Integration consultants are often confused whether they need to create a PGP key or ask the vendor to create one for them. The simple thumb rule to this is:

* For all the Outbound integrations to down stream systems, the target system needs to create a key pair and give you the public key (usually a text file). You create the public PGP key and use to to encrypt the outbound files. Give a vendor specific name, dates for validity of the certificate and copy the public key to the Certificate section and hit ok.

Workday Task : Create PGP Key


* In case of inbound files coming into workday, you need to create a PGP key pair and share the public key with your vendor. In this case you just need to give name and date. Once you hit ok, you should be able to see the public key which you can send to the vendor as a text file.

Workday Task: Create PGP Private Key Pair

*** Workday doesn't allow you to view the private key and so you cannot decrypt any vendor files outside workday.
*** I hate to say this, but you cannot migrate the PGP Private Key Pairs, Every time you move your integration to a new tenant, you create a new pair and handover the new key to your vendor. As far as production is concerned, this should not cause a problem as that will be a copy over of GOLD tenant.
If you ask me how I dealt with this, we started using PGP encrypted file starting SIT and so we had to create a fresh key only twice. Try to explain this to your business and vendor as this might take time on the vendor side depending on their approval chain.

Thanks for reading the post. As always, please leave your valuable comments/feedback below. Have a great one.
  

2 comments:

  1. Hi Vinod,
    thank you for this post. I just realized there is a PGP options to transfer data to workday to add additional security when using SFTP as transfer method.

    I'm trying to find this information online but couldn't find one.

    What is the options for Inbound EIB? is sftp the only supported method to transfer data to workday?

    Is data access using sftp only for bulk data transfer and the rest should be doable from workday interface? Thank you.

    ReplyDelete
  2. Does anyone know how to decrypt a Public PGP of Workday Encryption ?

    ReplyDelete