Configuring encryption keys for multi tenant content export

Content export for multi tenant (MT) pods requires the user to configure an encryption key to encrypt the content export files.

To do this, the user must have a Unix/Linux-like environment available and also ensure that GNU Privacy Guard (GNUPG) is installed.

 

Configure and generate encryption keys by following these steps:

 

1. Enter gpg --full-generate-key to begin generating the PGP key, followed by choosing option 1, RSA and RSA:

$ gpg --full-generate-key
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1

2. Enter 4096 when asked what keysize is preferred:

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096 

3. Select the expiry of the key and press Y to confirm. In the example below, a 0 is entered to indicate no expiry date:

Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) Y

4. Confirm the Real name and Email address so the keys can be generated and enter 0 to confirm the details:

GnuPG needs to construct a user ID to identify your key.

Real name: ENTER REAL NAME HERE
Email address: ENTER EMAIL ADDRESS HERE
Comment:

You selected this USER-ID:
"xxx@xxx.com"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

5. The user will then be redirected to a window asking to enter a passphrase for the keys. This is optional and the user can proceed without entering a passphrase if desired

 

6. The PGP will then be created as below:

gpg: key E737CA1989194E5B marked as ultimately trusted
gpg: revocation certificate stored as '/home/ming/.gnupg/openpgp-revocs.d/EAED595082BC65348B1AA798E737CA1989194E5B.rev'
public and secret key created and signed.

pub rsa4096 2020-11-13 [SC]
EAED595082BC65348B1AA798E737CA1989194E5B
uid name_goes_here <xxx@xxx.com>
sub rsa4096 2020-11-13 [E]

7. Once created, the Public and Private keys then need to be extracted

 

8. The Public key must be uploaded to the Admin Portal. To do this, enter gpg --export -a "xxx.xxx" > public.key to extract it:

gpg --export -a "xxx.xxx" > public.key

 

Note: If a passphrase was configured in step 5, the user will be prompted to enter it here to extract the key

 

9. The Private key is used to decrypt the files that were encrypted using the Public key. Enter pg --export-secret-key -a "xxx.xxx" > public.key to extract it:

gpg --export-secret-key -a "xxx.xxx" > private.key

 

Note: If a passphrase was configured in step 5, the user will be prompted to enter it here to extract the key

 

10. Copy the Public key into the Admin Portal from the Encryption tab and save the key to complete the process (Figure 1):

 

1.png

Figure 1 Encryption Key For Content Export