Video Screencast Help

Secure file transfer using PGP Key Management Server

Created: 08 Apr 2011 • Updated: 08 Jun 2011
Andreas Zengel's picture

This script is an example implementation of a file transfer process.

A file is encrypted, sent to a recipient using FTP and on the receiving side, the file is decrypted using the PGP Key Management Server.
All private keys are stored only on the PGP Universal Server and using the Key Management Server the receiving side can decrypt the file without transferig the private key off the PGP Key Management Server.

On decryption, PGP Command Line extracts the encrypted session key from the encrypted file and sends this encrypted session key to PGP Key Management Server for decryption. PGP Command Line is then able to decrypt the bulk data using the symmetric session key.
PGP Command Line Version required (min): 10.0.0
PGP Universal Server Version required (min): 3.0.0
Script language: perl
Developed for platform: Linux
Platforms the script will work on: Windows, Unix, any platform with a perl interpreter and PGP Command Line installed
This example is implemented in two scripts: and
It is written to be used on Linux and Unix platforms, this can be easily changed in the source code, to make it
compativble with Windows as well

* A reachable Universal server
* A Linux machine, SERVER, running an ftp server, and a licensed PGP
  Command Line
* A (ideally different) Linux machine, CLIENT, with a licensed PGP
  Command Line
* Copy the script to the CLIENT machine.
* Copy the script to the SERVER machine.
* Edit the "config" section at the top of both script to match the IP
  or hostname of the KMS server, USP authentication information, ftp
  info, etc.
* On both CLIENT and SERVER, run an authenticated PGP Command Line KMS
  command and tell it to cache the authentication cookie. E.g.,:
  pgp --usp-server --usp-cache-auth --auth-username usp-user \
   --auth-passphrase passphrase
  The scripts assumes an authentication cookie exists for the Unix user
  that runs it. If it does not, it will fail with permission
  errors. Also note that the USP server string given on this command
  has to match the one in the config file; it is not sufficient that
  they resolve to the same machine.
* Put clear-text files to transfer on CLIENT, in the configured
  outgoing directory.
* Run the script on CLIENT
* Run the script on SERVER
* Clear-text versions of the files can be found in the configured
  destination dir on SERVER.
* Each invocation of will clobber any existing files
  in the destination directory. That is, if a file has the same name
  as a file previously transferred, then only the new file will exist
  in the destination file.
* At this point, no attempt is made at verifying that files that end
  with .pgp are indeed OpenPGP files. Therefore, creating such files
  and attempting to transfer them will not work.