PGP and Bouncy Castle

I recently completed a project that required files to be PGP encrypted while in transit. In this case, a partner would use our public key to encrypt a file and then send it to our SFTP server.

The solution used IS to pick up the file from the SFTP server and move it to local storage. Company policy is that sensitive data can exist unprotected on disk for only the time it takes to process it. Normally this would mean decrypting the file, processing the “clear” file, then deleting the clear file when finished.

To be robust, the solution would need to account for the possibility that IS or the service would fail before the clear file could be deleted. An obvious solution would be a sweeper task that would regularly look for clear files that shouldn’t exist (older than some period of time) and remove them. I wasn’t happy about the prospect of yet another scheduled task and all the file management that would go along with the solution.

Enter the Bouncy Castle library. The BC libary is a JCE provider and supports a variety of cryptography standards, including OpenPGP.

With the BC library, and leveraging code from Lock Box Labs we could avoid writing the decrypted content to disk completely. Instead, we could read the file and decrypt it on the fly and not need to load the entire file into memory.

BC is stream oriented. Each packet in a PGP message is treated as a stream. Thus, one can chain together multiple stream objects to read the file from disk, decrypt, uncompress, and read the literal data from a single stream object. This stream can be used anywhere an InputStream is expected, including the pub.flatFile:convertToValues service.

With the BC libary and the Lock Box Labs code we were able create an IS service conceptually equivalent to pub.file:getFile where the file could be returned as a stream or as bytes. This avoided the need to create administrative services to make sure decrypted files were removed from storage, simplifying operations.

If you have similar needs I highly recommend checking out BC and Lock Box Labs.