Datica Blog

Using GNU Privacy Guard and OpenPGP to Automatically Decrypt SFTP Files

Eric Richards

Eric Richards

Healthcare Integration Engineer

October 25, 2017   integration Security

Why is encryption important?

HIPAA compliance has requirements for the transfer and storage of Protected Health Information (PHI). Standard SSH file transfer can securely transfer data onto the Datica Platform. However, the files need to be encrypted at rest on the SSH sender’s storage volume before being doubly encrypted/decrypted during the SSH transfer.

While you can manage part of your encryption for transfer yourself, you still need to have a method for encrypting storage volumes, containers, and the data transferred between those services. Datica’s platform meets those requirements for everything, once the data makes it onto the platform (HITRUST-audited policy 17.9).

What is GnuPG and OpenPGP?

The GNU Privacy Guard (GnuPG) is a free implementation of the OpenPGP standard (also known as RFC 4880, as defined by the Internet Engineering Task Force).

OpenPGP is the most widely used email encryption standard. It is available on all major platforms, including MacOS, Windows, GNU, Linux, Android, and iOS. OpenPGP is the way to go when you need a free and open source tool to encrypt files, especially across multiple different platforms.

GPG Keychain Clients and CLI

The keychain client I use is GPG Suite 2017.1. This is a simple tool for managing keys for different projects. You can import another party’s public key, a private key you created elsewhere, or generate new public and private key pairs within the client. After installing a keychain client, you will also need to make sure you have installed the GNU core utilities.

  • Using the GPG command line interface to generate a brand new key: $ gpg –gen-key
  • Importing an existing GPG key: $ gpg --import gpg/<keyfile>.asc
  • GPG keys will have two parts if you generate them yourself — public and private. If you’re importing one provided by another party, you will likely only have the public half of the key.

-----BEGIN PGP PUBLIC KEY BLOCK-----
...
...
...
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PRIVATE KEY BLOCK-----
...
...
...
----END PGP PRIVATE KEY BLOCK-----

Using a key to encrypt and decrypt files

  • Encrypting an existing file with your GPG key: $ gpg --encrypt -r <recipient or ID for public key> <filename>
  • Decrypting an existing (already encrypted file): $ gpg --decrypt <filename>
  • You can also lock down your key to require a password for use, specify an output file for the decrypted contents, and flag to skip prompting the user for those values: gpg --passphrase-file <fileContaingPassword> --output <fileToWriteOutput> --no-use-agent --decrypt <fileToBeDecrypted>

Automation

Example situation: you have an SFTP endpoint where another party will be dropping encrypted files. You provide them with the public half of your GPG with which to encrypt files, and then you set up your private key alongside your SFTP receiver to decrypt the files later on. You won’t want to do this manually, so just set up a scheduled task to handle this for you.

  • Drop location for inbound, encrypted file: /foo/inbox/file.gpg
  • Adding your GPG key file password (optional): /foo/gpg/password.txt
  • Drop location for decrypted file: /foo/outbox/decryptedfile
  • Drop location for already processed inbox file: /foo/recycling/file.gpg
  • Build a script to pick up the encrypted file and use the GPG key and password to decrypt the file again.

#!/bin/bash
cd /foo/inbox
for FILE in ./*.gpg; do
    echo "Original file:      $FILE"
    echo "Decrypted file:      ${FILE%.gpg}"
    gpg --passphrase-file ../gpg/password.txt --output "${FILE%.gpg}" --no-use-agent --decrypt "$FILE"
    mv --backup=numbered "$FILE" "../recycling"
    mv --backup=numbered "${FILE%.gpg}" "../outbox/"
done

Then, all that’s left is to set up a Cron schedule for this script to run periodically.

Looking for Datica documentation? Visit docs.datica.com for advice and answers from the Datica Team.

Earlier

This second interview of our “Mapping the Digital Health Landscape” series, highlights innovation at Strata Health in the U.S. and beyond.

Next Post

$360,000! The cost for a maker of digital health products to design, implement, deploy and prove HIPAA compliance all on their own. Get the breakdown.

Related

If It's Possible, We Can Integrate It

Mark Olschesky

Chief Data Officer

There’s much a digital health company needs to know about EHR integrations. Here are 4 essential questions digital health teams should ask their customers.

September 5, 2017

Mirth Connect and Vulnerability Scanning

Datica Editorial Team

Periodic tips and tricks about Mirth Connect and HL7 integration.

December 31, 2014

Start Mirth Connect as a Service on Boot

Mark Olschesky

Chief Data Officer

You want your Mirth Connect servers to be resilient to arbitrary reboots, but did you know you can start/restart your Mirth engine as a Linux service?

January 20, 2015