Resolving Issues with PGP Decryption in SAP BTP iFlow

Hey there! I want to address an issue that may arise in projects involving encryption/decryption within the SAP BTP iFlow and its embedded PGP engine.

Scenario description

Imagine you've installed the latest version of the gpg4win application (version 4.3.1) to generate public and secret keys for business requirements.

You share the public key with a 3rd party and deploy the secret PGP key to your BTP tenant.

Next, you develop a simple iFlow to decrypt information provided by the 3rd party, who encrypts the information using the public PGP key you shared earlier.

0:00
/0:24

However, upon triggering the iFlow endpoint, you encounter an error.

In the ABAP monitor, you observe the following error for the failed message:

💡
com.sap.it.rt.adapter.http.api.exception.HttpResponseException: An internal server error occured: The input message body has an invalid format. The PGP decryption/verification processor expects a sequence of PGP packets of the form (entries in brackets are optional and ellipses indicate repetition, comma represents sequential composition, and vertical bar separates alternatives): Public Key Encrypted Session Key ..., Symmetrically Encrypted Data | Sym. Encrypted and Integrity Protected Data, Compressed Data, (One Pass Signature ...,) Literal Data, (Signature ...,).

Attempt to resolve the issue

To address this, let's explore the root cause of the problem. While researching through various resources, including SAP notes, you may find that SAP recommends using a specific version of gpg4win for PGP key management—version 2.3.4.

See Installing gpg4win

See https://files.gpg4win.org/gpg4win-2.3.4.exe

It seems that installing this older version of gpg4win and encrypting the file with the public key generated using the newer version might resolve the issue. You can then request the 3rd party to encrypt the information using the same public key but with the older version of the application.

No changes are required for the iFlow itself. Simply trigger it again with the new payload.

0:00
/0:13

The issue should now be resolved. However, it's important to note that SAP recommends using specific versions of gpg4win for both key generation and encryption. Additionally, SAP advises against using the Kleopatra tool for key management. For additional context, please refer to Note 3276828 - Updating pgp keys in pubring/secring of Cloud Integration tenant results in exception during decrypting/verifying a PGP message . This SAP Note contains useful references for investigating the issue.

See PDF version of SAP Note 3276828 - Updating pgp keys in pubring/secring of Cloud Integration tenant results in exception during decrypting/verifying a PGP message

Thank you.