PGP keys

PGP keys are essential for encoding and decoding files.

PGP keys are used to cryptographically encode and decode files and make them unintelligible except to the party that possesses the correct key. There are always two associated PGP keys: a public key to encode files and the matching private key to decode the files.

A public key is used to encrypt, while the private key is used to decrypt

To encrypt files sent to Experience Cloud, the sending system uses one of the Medallia public PGP keys. Once the file is received, the importer automatically decrypts the file with the appropriate private key (maintained internally).

Note: Most installations are pre-configured to include the private key. If your instance does not have a private key, contact Medallia Support for assistance. 

Importing and exporting files

For secure file transfers, companies should use PGP keys. Identify the correct key for the situation and share it with the IT administrator responsible for the file transfer setup. The admin will use this key to configure the company's encryption system. The importer automatically detects and decrypts PGP encoded files, provided the filename ends with .pgp or .gpg, or if the file appears to be PGP encrypted.

Basically, PGP decryption of a feed file occurs based on 3 criteria:

  • The filename ends in .pgp.
  • The filename ends in .gpg.
  • The first line of the file starts with -----BEGIN PGP MESSAGE-----, regardless of filename.

If the system is unable to decrypt the file, the problem is often mismatched PGP keys. See Troubleshooting PGP issues for help identifying the mismatch.

Companies wanting to receive encrypted exports need to provide their public key. Medallia expects keys to follow the OpenPGP ASCII Armor format (RFC 2440).

Sharing a public key

When you share public keys, it is important to do so in a secure manner. In principle, email is not completely secure because theoretically someone could intercept the email and replace one public key with another. But in practice, it is generally OK. There are various alternative methods of exchanging the file(s): use one that both parties are comfortable with.

Warning: Never share a private key. Private keys must be kept secured at all times.

To send a public key, open or display the file (it is plain text) and copy the entire text block. For PGP keys include the BEGIN and END lines (see Medallia public PGP keys for examples).

To verify receipt, each party should compare the file's hash value. For example, when a company receives a Medallia PGP public key, they should use a hash generator to create a hash value of the file they received. Then the sender and recipient can read the hash to each other (on a phone call or messaging system) to verify it is the same. The keys listed in Medallia public PGP keys include the MD5 and SHA-256 hash values.