An HR application contains lots of sensible data. This data often crystallize into pdf reports or office docs, and eventually they’ll get sent to remote systems. In this case you’ll probably use a VPN, or in the absence of it an sFTP port. Although this used to be enough, nowadays the security mantra is that you’re never too secure. In this post I try to explain how I set up a second layer of security.
Encryption is old, yet for people that have not used it before, may be synonymous of muddy waters. Leave it for the security administrator. Well, nowadays there are a few tools that makes the process really simple. I chose GnuPG since it is a free implementation of the openPGP standard, it can run in all platforms and is compatible with the proprietary software Symantec PGP, very expensive and widely used in big companies.
The idea is to encrypt the file on your server, and send it through your secure channel to the external target system.
The check list:
– Source and target systems will need to have an encryption software installed.
– A GnuPG standard installation is pretty straightforward. Follow the instructions and you’re done. You’ll end up with two keys, a private key and a public key. (If you’re in a windows platform use gpg4win which is an adaptation of GnuPG).
– In order to be able to decrypt your report, the target system will have to provide you with their public key. You will need to encrypt the files with it. Thus, they can decrypt it with their private key.
– Write a batch process that encrypts your file. There’s a lot of options you may want to use, but the basics come to this line:
%GNU_HOME%gpg2.exe –batch –yes -o %WORK_PATH%%FILE%.gpg -se –recipient target@publickey.com %WORK_PATH%%FILE%
Where %WORK_PATH% and %FILE% are the parameters for the batch
-o indicates the output file.
-se is for sign and encrypt.
and –recipient indicates that the file will be encrypted using the target’s public key, so only them could decrypt it.
If you need to tweak this, you’ll find more detailed information in the GnuPGP site.
– Call this batch process from peoplecode, using the Exec function for instance. Here you may pass the filename in case it changes per execution, which probably does.
&cmd = “cmd.exe /c \MyEncrypt.bat ” | &FileName;
&return = Exec(&cmd, %Exec_Synchronous + %FilePath_Absolute);
Finally I created two functions, one for encrypt and the other for decrypt (i.e. if the target sends a file back) placed them in a fieldformula event. The function accepts two parameters; the work directory and filename. This way I can reuse the functionality across the application.
A nice side effect of using encrypted files is that the encryption algorithm will do some file compression, so there are extra points for saving bandwidth and storage.