How to Integrate PGP/GPG at PortX
Overview
This document outlines how to integrate PGP/GPG encryption at PortX for customers who require encrypted file transfers — for example, customers who PGP-encrypt outbound files containing PII and transaction data before sending them to PortX via AWS SFTP.
GPG (GNU Privacy Guard) is the open-source implementation of the PGP standard and is the recommended tooling at PortX.
Background
Some PortX customers require that all files containing sensitive data — such as customer PII and transaction records — be PGP-encrypted before transmission. PortX receives these files via AWS SFTP and must be able to decrypt them inline as part of downstream processing.
Step 1: Generate a GPP Key Pair
The CX engineer responsible for the customer tenant should generate a GPG key pair.
- Key size must be 2048-bit or higher
- The private key should have no passphrase (to support automated, unattended decryption in services)
gpg --full-generate-key
Select RSA, 2048-bit (or higher), and leave the passphrase blank when prompted.
Step 2: Store the Private Key in AWS Secrets Manager
The private key component must be stored securely in AWS Secrets Manager within the customer's tenant.
- The downstream processing service (or application) will retrieve the private key from Secrets Manager at runtime to perform decryption
- Never store the decrypted file at rest — decryption must happen inline as part of the processing pipeline
# Export the private key
gpg --export-secret-keys --armor <KEY_ID> > portx-customer-private.asc
# Store in AWS Secrets Manager (example using AWS CLI)
aws secretsmanager create-secret \
--name "portx/customer/pgp-private-key" \
--secret-string file://portx-customer-private.asc
Step 3: Share the Public Key with the Customer
Export the public key and provide it to the customer. The customer uses this public key to encrypt files before sending them to PortX.
gpg --export --armor <KEY_ID> > portx-customer-public.asc
Send portx-customer-public.asc to the customer (e.g., via secure email or a shared portal).
Step 4: Implement Inline GPG Decryption in the Processing Service
When the encrypted file arrives in S3 via AWS SFTP, the downstream processing service is responsible for decryption. Key requirements:
- Decryption must be inline — part of the next step in the processing pipeline (e.g., extract and load into DB)
- The file must never land decrypted at rest on disk or in S3
- Use the GPG library within the application/service performing the processing
- PortX's platform primarily supports services (not Lambdas) — decryption should be integrated into the service layer accordingly
Example Flow
S3 (encrypted file arrives via SFTP)
↓
Processing Service
1. Retrieve private key from Secrets Manager
2. GPG-decrypt file stream in memory
3. Process/load data (e.g., insert into DB)
4. Discard decrypted data — never write to disk or S3
Step 5: Annual Key Rotation
GPG keys are static credentials and must be rotated at least once per year, along with other static credentials such as SFTP credentials.
Key Rotation Steps
- Generate a new GPG key pair (repeat Step 1)
- Update the private key in AWS Secrets Manager (repeat Step 2)
- Provide the new public key to the customer (repeat Step 3)
- Confirm the customer has updated their encryption config before retiring the old key
- Delete the old private key from Secrets Manager once the transition is confirmed