NUTRINTG CDP-to-SFMC Decryption Key Generation

Asymmetric key pair for encryption/decryption usually has an expiration date. This guide focuses on key pair generation and configuration of CDP-to-SFMC integration app.

Generation and Configuration Steps

Because of an older version of BouncyCastle in CDP-to-SFMC integration app, we have to use an older version of GnuPG application for your OS. This guide is based on gpg4win-3.1.6.

1. Download GnuPG from GnuPG official website and install it. Make sure installation is in your PATH.

2. Run

   gpg --full-generate-key

   and follow the commands. Step by step select: RSA and RSA, 4096 key length, 2 years expiration, appropriate recipient name/email and pass phrase of choice. These are the values of the current key and may be a subject to change if necessary.

3. Run

   gpg --list-keys

   to view your installed keys.

4. Run

   gpg --armor --export -r <recipient email>

   to export a public key. This is a key for encryption. Pass it to Epsilon in a secure way.

5. Run

   to export a private key.

6. Encode private key into Base64. Do not use websites since they may store this sensitive data. For example, you can create a simple private static main method in Java.

7. Replace decrypter_key value in infra/secrets/<environment>.yaml via SOPS. SOPS configuration is described in an appropriate GitHub article. For dev environment process.base-64-encoded-decryption-key or process.decryption-key-path property should be specified in the properties file.

8. Create a ticket for a Platform Team to run Terraform to apply the changes.

Notes

• In order to encrypt a dummy file for testing purposes you can use

• There is an old BouncyCastle version in CDP-to-SFMC integration app. Therefore it was impossible to use newer version of GPG for key generation, even with --openpgp flag.

• Current key has an expiration date of 2025-02-26