Application layer encryption
Stay organized with collections
Save and categorize content based on your preferences.
Cards QR APIs support either PGP or JWE for application layer
encryption.
PGP encryption
PGP is a standard set of encryption, decryption, and signing algorithms which
provide cryptographic privacy and authentication.
When using PGP to encrypt payloads, partners must support:
- Encrypting and decrypting payloads with multiple PGP keys.
- Signing payloads with multiple PGP keys.
- Verifying a payload with multiple signatures, any one of which can be the
signature with the key provided by Google.
- Decryption of Web-safe base64 encoded payloads.
PGP public keys provided to Google must have a subkey used for encryption. The
subkey allows for independent rotation from the master key. The master key
is used for identity verification. Private keys must be 2048 (or greater)
bit RSA keys that expire in one year with a maximum lifetime of two years.
Before beginning development you need to exchange PGP keys with Google.
In this step, you generate a PGP public-private key pair, provide the public
key to Google, and receive a public key back from Google. During development,
you will only need to exchange sandbox keys used for development and testing
outside of production. Before production testing and launch, you will need to
perform another exchange of production keys.
Generating a new PGP key
Assuming you have a GPG binary in your system path, you
can use the following POSIX command to create a new key pair.
$ gpg --full-generate-key
When prompted, select an RSA key with at least 2048 bits of entropy and an
expiration of 1-2 years. This command should create both a master key
(labeled SC, for 'S'igning and 'C'ertificate generation) and a subkey
(labeled E, for 'E'ncryption).
PGP Library Configuration
Sending Payloads
- When signing, you should use
SHA384 as the digest algorithm; do not use
SHA1or MD5
- When encrypting, you should use
AES256 as the symmetric encryption
algorithm; do not use CAST5 or IDEA
- When encrypting or signing messages, be sure to select the sub key with the
corresponding purpose; use the
CAN_SIGN key for signing and the
ENCRYPT_COMMS/ENCRYPT_STORAGE key for encrypting
Receiving Payloads
- When verifying a payload, make sure your library supports modern hash
algorithms like
SHA384. Google will begin using it on all new keys as of
May 14, 2023.
- When decrypting a payload, make sure your library supports modern symmetric
encryption algorithms like
AES256. Google will begin using it on all new
keys as of May 14, 2023.
GPG Payload Encryption Example
The below command is an example of how to select secure options when using GPG.
It is expected that this operation is performed in a trusted environment where
people do not have access to the private keys or sensitive input files.
gpg --output signed-and-encrypted.pgp \
--sign --digest-algo SHA384 \
--encrypt --cipher-algo AES256 \
--armor \
--recipient {key_id} \
input.txt
GPG will automatically select the right key from the bundle for each operation
you ask it to perform.
All rights reserved. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-12-03 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-12-03 UTC."],[[["\u003cp\u003eCards QR APIs leverage PGP or JWE for application layer encryption, with PGP offering cryptographic privacy and authentication through encryption, decryption, and signing algorithms.\u003c/p\u003e\n"],["\u003cp\u003eWhen utilizing PGP encryption, partners must manage multiple PGP keys for encryption, decryption, and signing, adhering to specific requirements for key types, sizes, and expiration dates.\u003c/p\u003e\n"],["\u003cp\u003eBefore production, partners need to exchange PGP keys with Google in both sandbox and production environments, involving generating key pairs and adhering to Google's key specifications, such as 2048-bit RSA keys with a 1-2 year expiration.\u003c/p\u003e\n"],["\u003cp\u003eSecure PGP implementation involves using SHA384 for signing, AES256 for encryption, selecting appropriate subkeys, and ensuring libraries support modern hash and encryption algorithms for compatibility with Google's updated key usage.\u003c/p\u003e\n"]]],["Partners using PGP encryption with Cards QR APIs must encrypt/decrypt and sign payloads with multiple keys, verifying with multiple signatures. Keys, generated using an RSA algorithm, must be 2048+ bits, expiring in one year with a max two-year lifetime. Before development and production, key exchange with Google is required. Use SHA384 for signing, AES256 for encrypting, and the designated subkey for each. GPG command examples for signing/encrypting with secure options are provided.\n"],null,["# Application layer encryption\n\nCards QR APIs support either PGP or JWE for application layer encryption.\n\nPGP encryption\n--------------\n\nPGP is a standard set of encryption, decryption, and signing algorithms which\nprovide cryptographic privacy and authentication.\n\nWhen using PGP to encrypt payloads, partners must support:\n\n- Encrypting and decrypting payloads with multiple PGP keys.\n- Signing payloads with multiple PGP keys.\n- Verifying a payload with multiple signatures, any one of which can be the signature with the key provided by Google.\n- Decryption of Web-safe base64 encoded payloads.\n\nPGP public keys provided to Google must have a subkey used for encryption. The\nsubkey allows for independent rotation from the master key. The master key\nis used for identity verification. Private keys must be 2048 (or greater)\nbit RSA keys that **expire in one year** with a **maximum lifetime of two years**.\n\nBefore beginning development you need to exchange PGP keys with Google.\nIn this step, you generate a PGP public-private key pair, provide the public\nkey to Google, and receive a public key back from Google. During development,\nyou will only need to exchange sandbox keys used for development and testing\noutside of production. Before production testing and launch, you will need to\nperform another exchange of production keys.\n\n### Generating a new PGP key\n\nAssuming you have a [GPG binary](https://gnupg.org/) in your system path, you\ncan use the following POSIX command to create a new key pair. \n\n $ gpg --full-generate-key\n\nWhen prompted, select an RSA key with at least 2048 bits of entropy and an\nexpiration of 1-2 years. This command should create both a master key\n*(labeled SC, for 'S'igning and 'C'ertificate generation)* and a subkey\n*(labeled E, for 'E'ncryption)*.\n\nPGP Library Configuration\n-------------------------\n\n### Sending Payloads\n\n1. When signing, you should use `SHA384` as the digest algorithm; do not use `SHA1`or `MD5`\n2. When encrypting, you should use `AES256` as the symmetric encryption algorithm; do not use `CAST5` or `IDEA`\n3. When encrypting or signing messages, be sure to select the sub key with the corresponding purpose; use the `CAN_SIGN` key for signing and the `ENCRYPT_COMMS`/`ENCRYPT_STORAGE` key for encrypting\n\n### Receiving Payloads\n\n1. When verifying a payload, make sure your library supports modern hash algorithms like `SHA384`. Google will begin using it on all new keys as of May 14, 2023.\n2. When decrypting a payload, make sure your library supports modern symmetric encryption algorithms like `AES256`. Google will begin using it on all new keys as of May 14, 2023.\n\n### GPG Payload Encryption Example\n\nThe below command is an example of how to select secure options when using GPG.\nIt is expected that this operation is performed in a trusted environment where\npeople do not have access to the private keys or sensitive input files. \n\n gpg --output signed-and-encrypted.pgp \\\n --sign --digest-algo SHA384 \\\n --encrypt --cipher-algo AES256 \\\n --armor \\\n --recipient {key_id} \\\n input.txt\n\nGPG will automatically select the right key from the bundle for each operation\nyou ask it to perform."]]