Overview: GPG was installed for OFAC and runs at gpg.exe. This is an open source version of PGP encryption software used to encrypt files. It can create, remove, and manage public and private encryption keys via command line interface. In OFAC, GPG is just used to encrypt a file with an existing public key that can expire and this is a document on how to update those encryption keys.
- Log into the server where the job is scheduled from (USKILEWEB2).
- NOTE: You must be logged in under the same account that the task scheduler is run as. In the current case, it's run by the kiservice account.
- (Optional) Open the Command prompt on that server to check what keys are stored on the keyring:
cd C:\OFAC Daily Batches\Scripts\Release_Console
gpg --list-keys
The KeyRing should show the previous expired keys:
3. To replace the key, you need to import the new key to the key ring. Find the file name of the new key in \\USKLIEWEB1\OFAC Daily Batches\Scripts\Release_Console:
4. On the Server, run the command to import the new key to the key ring. Navigate to the directory C:\OFAC Daily Batches\Scripts\Release_Console run the import script:
cd C:\OFAC Daily Batches\Scripts\Release_Console
gpg --import PublicKeyFileName.asc
(make sure the name of the file in the command matches the file in the directory path)
5. (Optional) The new public encryption key is now added to the key ring. To check this, run the command, gpg --list-keys, to ensure the key is there.
Troubleshooting:
If there is more than 1 key in the key ring, go to the bottom of the linked documentation to remove the old key from the key ring: Ofac Key Encryption.
NOTE: when adding and removing keys from the key ring, maybe sure to be logged into the same service account that runs the scheduled task.