Installing the PGP Decryption Add-on in SFTP Gateway for Google Cloud

PGP Decryption

One of SFTP Gateway’s greatest advantages is its versatility; through the use of add-ons and custom solutions, the functionality of SFTP Gateway can be expanded to make tasks more efficient and user-friendly.

For instance, the PGP Decryption add-on automates the process of downloading and decrypting a PGP encrypted file and then uploads the new decrypted file. In this article, I will walkthrough the process of deploying the PGP Decryption add-on for Google Cloud.

Requirements

Before starting, double check that you have the following:

  • git installed
  • python 3.9 installed
  • A GCP account that can:
    • Create a service account
    • Create storage buckets
    • Give IAM permissions
    • Create a Google Function

Preparation

Before setting up the Google Function, we’re going to create some resources that you’ll need later on in the process.

First, we need a service account that has permissions to Cloud Storage

    1. Login to the Google Cloud console
    2. Go to “IAM & Admin” -> “Service Accounts”
    3. Press “Create Service Account”
    4. Give the new service account a name
    5. Press “Done”
    6. Open the service account you just created and copy its email address

 

You can give the service account access to all current and future buckets

    1. Go to “IAM & Admin” -> “IAM”
    2. Press “Grant Access”
    3. Paste the email into the “New principals” box
    4. Select “Cloud Storage” -> “Storage Admin” for the role
    5. Press Save.

Next, we need to setup the buckets that will be used in the function. You will need a bucket for the encrypted files, one for decrypted files, and one for the encryption key file. Although it is not recommended, you may choose the same bucket for multiple or for all three positions. Remember the bucket names for later.

To create a new bucket:

  1. Go to Cloud Storage
  2. Press “Create Bucket”
  3. Give the new bucket a name
  4. Press “Create”

bryce-pgp-incoming – bucket used to store incoming PGP encrypted files.

bryce-pgp-landing – bucket used to store the decrypted PGP files.

bryce-pgp-key – bucket stores my PGP key used to decrypt incoming files.

Now that the buckets have been created, upload the encryption key file to whichever bucket is to be the key bucket. Remember the file-path to the file if you place it in folders.

Create ZIP File

Google Functions allows you to upload a ZIP file containing the source code for a function and automatically unpacks it for you. In addition, we have created a python script that creates a ZIP file containing the files needed and in the proper structure for Google Functions.

Start by cloning the source repository to your local computer. In my scenario I used the “Download ZIP” option.

Navigate to project directory. Essentially, you want to be in the directory above “deploy”.

Execute the python script make_zip.py using the command:

python3 deploy/GCP/make_zip.py

This script will create a ZIP file named “deploy/GCP/pgpGoogleArchive.zip”. Remember where it is, since it will need to be uploaded in the next section.

Make Google Function

Now that we have finished preparations and created a ZIP file of our code, we can create the Google Function.

  1. Return to the Google Cloud console
  2. Go to Cloud Functions
  3. Press “Create Function”
  4. Give the new function a descriptive name

After giving it a name, set the trigger information

  1. Set the trigger type to “Cloud Storage”
  2. Set the event type to “On (finalizing/creating) file in the selected bucket”
  3. Press “Browse” and select the bucket encrypted files are to sent to
  4. Leave the “Retry on failure” box unchecked
  5. Press Save

This information is how the function is alerted when a file is uploaded. If you ever want to change which bucket is being watched, edit this setting. Note that each function can only have one trigger.

Next is the runtime settings:

  1. Expand the menu labeled “Runtime, build, connections and security settings”
  2. Set “Memory allocated” to 2 GB
  3. Set “Timeout” to 60 seconds
  4. Open the dropdown menu labeled “Runtime service account” and select the service account you created earlier
  5. Scroll down and press “Add Variable” for each environment variable. The following must be set:
    • PGP_KEY_LOCATION – Name of the bucket which contains the encryption key file location
    • PGP_KEY_NAME – File-path to the encryption key file (including folders). EX: A file named “private.asc” in a folder named “keyfolder” would require PGP_KEY_NAME to be set to “keyfolder/private.asc”.
    • PGP_PASSPHRASE – Passphrase associated with the encryption key. Don’t create the variable if your key has no passphrase.
    • DECRYPTED_DONE_LOCATION – Name of bucket where decrypted files should be moved to after decryption.
  6. Scroll to the bottom and press “Next”

In the future, you may want to change the amount of memory available, the timeout duration, or the environment variables. If so, edit these settings.

Finally, we must select the runtime and entry point and upload the source code.

  1. Open the dropdown menu labeled “Runtime” and select “Python 3.9”
  2. Open the dropdown menu labeled “Source code” and select “ZIP Upload”
  3. Press browse and select the ZIP file made previously
  4. Choose any bucket for Stage bucket (such as the key-file bucket)
  5. Change the Entry Point to “invoke”
  6. Press Deploy
  7. Wait a few minutes until the function displays a green status indicator.

Get insights on SFTP Gateway, cloud computing and more, in your inbox.

Get smarter about all things tech. Sign up now!

Scroll to Top