2296971 - Generating and Importing PGP Keys

• What is PGP and how does it work in SuccessFactors?
• Customer wants to encrypt their Data
• How to generate PGP key for Scheduled Import jobs?
• How to import PGP key for Scheduled Export jobs?

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

SAP SuccessFactors HCM

What is PGP?

PGP is a key based encryption / authentication process. It allows users to publicly share keys that are used to sign and / or encrypt messages and data.

How does PGP work?

A user or company needs to install PGP software. It is also possible to use the compatible GPG (Open Source) software. After installing it, the user can create their own key pairs and install keys provided by business partners. Every key comes in two parts:

• The Public key that can be shared with partners or even posted publicly somewhere for anyone to access.
• The Private key that should be kept secure on the system where it was created.

What is the purpose of each key?

• The Public key is used to Encrypt data you send. The Public key to encrypt data is relevant for Export jobs in SuccessFactors.

• The Private key is used to Decrypt data you receive. The Private key to decrypt data is relevant for Import jobs in SuccessFactors.

This means that any of your business partners can use the Public key to encrypt data they send to you. They can safely send the file over a public network and only you will be able to decrypt it.

Working with PGP Keys at SuccessFactors 

In SuccessFactors you can generate PGP keys that will be used to decrypt files in file import jobs and export the generated keys.

You can also import your own PGP keys that will be used to encrypt files in file export jobs.

How to generate PGP key for Scheduled Import jobs?

From the 1H 2021 release, the Generate Encryption Key, Generated Key and Export Encryption Key options were disabled in Provisioning. These options are now a self-service available on your SuccessFactors.

As a company administrator, you can generate PGP key used in Scheduled Import jobs by following these steps:

1. Go to Admin Center
2. Go to Security Center
3. Click on "Other Keys"
4. Click on "Add" and choose the category "Decryption Key (PGP)"
5. Check the "Scheduled Job Key" checkbox
6. Click on "Generate and Save"

After generating and saving it, you can select this key that was created and click on “Download Public Key” to export the public key to share with your business partners.

Role-Based Permission Prerequisites

The following administrator permission is needed: Manage Security Center > Access to Other Keys. Ensure that you have either the View or the Create, Edit & Delete permission.

Configuration Requirements

On your SuccessFactors instance, go to Admin Center >  Security Center > Other Keys. If you can see the “Scheduled Job Key” checkbox when creating or editing a decryption key (PGP), then the feature is enabled in your instance.

Notes:

• Keys that were previously generated in Provisioning were migrated to Admin Center > Security Center > Other Keys.
• The existing Public key that was downloaded from Provisioning in the past will continue to work with the Scheduled Import jobs. This means that no additional action is needed.
• You can export and / or remove newly generated keys and / or previously generated keys through Provisioning from Admin Center > Security Center > Other Keys.
• In Security Center, you can only generate PGP keys of the RSA type. The DSA type was removed from options due to security enhancements. However, the DSA keys previously generated through Provisioning are still valid for use.
• You can only have one active PGP Decryption Key used in scheduled jobs. If you already have a PGP Decryption Key used in scheduled jobs, creating a new key overrides the existing one.
• The PGP key downloaded from Security Center is in the format of ASCII Armor (a stream of printable ASCII characters), instead of the format used in the PGP key exported from Provisioning (a raw 8-bit binary octet stream). You can convert the key format if necessary.
• Use Delete Key with caution. There is normally never any reason to do this. Once the key is removed, it cannot be recovered. Consequently, any inbound integrations that rely on the deleted decrypt key will be unable to decrypt customer data encrypted using the corresponding encrypt key. Therefore, carefully evaluate the necessity of deleting the key before proceeding.
• Only the Public key of a Decryption Key can be exported. Support has no access to the Private Key or the Passphrase. This is to safeguard your data. As a result, this feature is NOT suitable for generating keys to use with LMS. 
• To generate a Private / Public Key pair for LMS, it can be done manually by the customer or via a paid engagement (Professional services or customer consultant).

How to import PGP key for Scheduled Export jobs? 

PGP keys for Scheduled Export Jobs are still configured in Provisioning by following these steps: 

1. Go to Provisioning
2. Go to Managing PGP Keys
3. On the "Import Encryption Key" section, click on Choose File and then click on Import Key

As a customer, you don't have access to Provisioning. To import PGP key in Provisioning, please contact your implementation partner or, in case you don't have an implementation partner, please submit a Support Ticket under the component LOD-SF-PLT-PGP sharing the following:

• Company ID
• PGP key file to be imported

Notes: 

• Multiple keys can be imported in Provisioning. All the public keys that are imported in Provisioning will be used to encrypt the data. Any private key of these public keys can be used to decrypt the data. 
• Implementation Partner / Product Support can share the User Name, Creation Date and Fingerprint information with a customer questioning if the correct key is imported in Provisioning.
• It is not possible to export these keys. It is possible to import customer’s provided keys in multiple instances only if we still have customer’s original key file.
• It is ok to remove unused keys. Please be sure they are truly not needed and you have customer's explicit approval. There is no way to recover them. To remove, select the checkbox and click on Remove Key.
• We no longer provide or import the old SF PGP key. While it is still in use for many of our existing customers there is never a reason to use it for a new one.
• For LMS, this is where the public key generated will be imported so that the BizX Scheduled jobs encrypt the file with the right key (LMS connector will then decrypt the file using the private key setup on LMS). For more information on LMS encryption setup please check the references section of this KBA.
• Both .asc and .pgp file extensions are accepted.

Known Issues

1. If Provisioning does not accept the .asc extension, please convert the file to .pgp extension.
2. Ensure the file does not contain any spaces as this will cause failure with the following "Failed to upload the PGP key filename".
3. Seems to be an isolated case for now with one customer when they reported issue with old PGP keys still being used instead of the newly imported PGP keys (Product Support, please refer to internal memo).

FAQ:

Question: Is there a possibility to have a backup of the “Decryption Key” in Security Center -> Other Keys?

Answer: As of now, there is no such plan to provide option to have a backup of the private key due to security concerns.

2361997 - How to use PGP encryption in LMS connectors

2574590 - How to schedule encrypted reports - Report Center

Managing Scheduled Jobs

PGP Keys Used in Scheduled Jobs

PGP, Encryption, Securing Data, Scheduled Jobs, Decrypt, Data, Public Key, Private Key , KBA , LOD-SF-PLT-PGP , PGP Key Generation , LOD-SF-INT-INC , Integration Center , How To