FTPing encrypted files to Alma using PGP
While Alma supports both FTP and SFTP for file transfer, using SFTP will only encrypt the file at transfer. After the file has been placed on the FTP server, the data is there in plain text, which might be an issue when dealing with sensitive data such as funds or patrons.
Starting with the Alma Jun 2020 Release it is possible to encrypt files uploaded to Alma and have Alma encrypt files it creates. The encryption is based on the OpenPGP standard, and uses the .gpg file prefix for the encrypted files.
Here we’ll show how to use Gpg4win, which is a “free and open-source software, and it is typically the non-proprietary option for privacy recommended to Windows users” (Wikipedia).
Up until the 70s, the only way to encrypt files was to use a symmetric key: a secret code used to both encrypt and decrypt the message. While this method is quick and easy to understand, it has its downsides: the 2 parties who want to exchange messages would have to meet in person in order to secretly decide on the key.
Then came Asymmetric Encryption where one key is used for encryption and a different key is used for decryption.
If Alice would like to receive a secret message from Bob, she will create a pair of keys. One of the 2 keys she’ll keep for herself – the private key, and one she’ll send to Bob (or just post on her website) – the public key. Bob will use her public key to encrypt the message, and she’ll use her private key to decrypt it.
The below image uses open combination locks as an illustration for a public key. The combination numbers are the same for all locks and are known only to Alice. Once Bob uses one to lock the box only Alice can open it.
If you care about files exported from Alma, then Alma is Bob and the library would be Alice. The library will generate a pair of keys and hand over the public one to Alma.
If you care about files imported to Alma, then Alma would be Alice and the library is Bob. Alma has a pair of keys. You can grab Alma’s public key and use it to encrypt the files before uploading.
And if you would like to be covered both ways – this is, of course, possible as well, and that is what we’ll show here.
Download from https://www.gpg4win.org and follow the wizard.
There are a few components to choose from. We’ll only need Kleopatra, so you might want to uncheck the other options.
Generating keys for the library
Start Kleopatra and choose file > New Key Pair:
Then follow these screenshots:
the email address doesn’t have to be a real one
a date in the far future is fine.
Pick an 8 character (or more) long passphrase. Remember it or keep it in a safe location, as the private key will be unusable without it:
After exporting the public key, head on to Alma and from the General Configuration page select Manage Encryption Keys:
Upload the public key, and give it any code, name, and description. You can generate several keys, and use different keys in different FTP configurations if such added security is needed:
From the action menu it is now possible to test the key by downloading a small text file which Alma encrypted using the public key you provided. If you like to decrypt it skip ahead to the “Decrypting” section.
Downloading Alma’s public key
This part is easy: From the Manage Encryption Keys page click on Download Alma’s PGP Public Key.
Now let’s import it into Kleopatra so we can use it to encrypt files.
Click on Import and locate the public key downloaded from Alma:
No need to make a phone call to Alma… Since you know you have just downloaded it from Alma you can simply click Yes.
We are all set for encrypting our first file!
Create a small file with any name and any text within it.
Click on Sign/Encrypt and locate the file:
No need Sign, or “Encrypt for me”, so you can uncheck these options. Then in the “Encrypt for others” textbox, start typing your Inst code and click it:
After the file is encrypted and has the .gpg suffix, you can upload it to Alma by clicking on the Upload Test File button. Alma will decrypt, and present you with the original file.
Let’s try decrypting the test file. Note the .gpg suffix:
Click on and select the file.
Type your private-key passphrase:
The file is quickly decrypted:
Press on and you’ll now have the decrypted file next to the gpg file. Open it with any text editor and you should see “Test OK”:
- For Alma to encrypt exported files you need to enter the S/FTP connections screen and select one of the public keys you uploaded:
- For Alma to decrypt imported files, the files should have the .gpg suffix. No need for any additional configuration in the S/FTP connections screen. For compressed (ZIP) files make sure to first compress the file, and encrypt afterwards, such that the filename will be: filename.zip.gpg
- Technical information for cryptographers: Alma encrypts using the OpenPGP standard using: RSA with 2048 bits, AES with 256 bits and uses SHA-256 hash.
PGP or GPG – same thing?
PGP – Pretty Good Privacy, is a software written by Philip Zimmermann in 1990. PGP, and now similar software, follow the OpenPGP, an open standard of PGP encryption software (RFC 4880). PGP Corporation was a company that sold Pretty Good Privacy computer software. It was founded in 2002, and acquired by Symantec in 2010.
GPG – GNU Privacy Guard (GnuPG or GPG) is a free-software replacement for Symantec’s PGP.
To sum up: here we recommend using GPG which follows the OpenPGP standard.
Appendix: Using GPG from the command line
Encryption and decryption can be done automatically from scripts. Here is how to call it from Windows cmd:
Open the cmd (or PowerShell) at the directory where gpg_test.txt.gpg is located and type:
gpg --output doc.txt --decrypt gpg_test.txt.gpg
The output will include information about the public key used to encrypt the file:
gpg: encrypted with 2048-bit RSA key, ID 7A8D2903A56C2A59, created 2020-02-25 "Main Library <firstname.lastname@example.org>"
doc.txt will be created in the same directory.
If you protected your private key with a passphrase, and the above command prompts you for it, see here.
Say your file is myTest.txt, from the directory where the file is, run:
gpg --output myTest.txt.gpg --encrypt --recipient 01MYLIB_INST@exlibrisgroup.com myTest.txt
They’ll be no output (unless an error occurs) and myTest.txt.gpg will be created.