Skip to main content
All CollectionsSecuritySecurity
Encryption at Rest for SFTP Imports
Encryption at Rest for SFTP Imports
Updated over a year ago

Encryption at rest

Through our SFTP Encryption at Rest feature, clients can store their staff and leave balance data in an encrypted format on their SFTP server.


The feature can be turned on for individual integrations that have configurable SFTP Settings in Workforce.com. The feature uses PGP/GPG key pairs to handle the encryption/decryption process.

How to enable the feature

  1. Visit the Edit page for an integration with configurable SFTP settings

  2. Clock on "Show Advanced Options" to edit the SFTP settings

  3. If the core fields such as host, username, and import paths are not already configured, complete these fields. You can find more details on this process in our SFTP for Payroll guide.

  4. Once your primary fields are entered, select the Encryption at Rest checkbox to turn on the setting

    1. If you plan to use the SFTP encryption at rest for staff imports, also select the "Auto Import Staff" option.

Encrypting files

Note: This process involves some interaction with your computer's terminal. A basic understanding of commands, like cd, will be helpful.

Install GnuPG/GPG Library

You will need the GnuPG / GPG library installed on your computer to encrypt files.

  1. Check if gnupg / gpg is installed on your computer and install it if not:

    1. Open your terminal and run: gpg --version

    2. If this returns a version number, move on to step 2

    3. If no version number returns, you'll need to install the library

      1. Mac process

        1. If you have Homebrew installed, run:

          1. brew install gnupg

        2. If you don’t have Homebrew installed (run brew --version to see if it’s installed), install it first by following the steps on the Homebrew site

          1. Install Homebrew: https://docs.brew.sh/Installation

          2. Once installed, run:

            1. brew install gnupg

      2. Linux process

        1. apt-get gnupg

    4. You can verify the install worked by running gpg --version

Import our public key into your GPG keyring

  1. When you turn on the Encryption at Rest setting for an integration, you will see a link to download a copy of our public key. Download this key file to your computer.

    1. It should be named workforce_tanda_public_key. If you rename it or it saves with a different name/extension, use that file name in the next step.

  2. In your terminal use the cd (change directory) command to navigate into the folder where you saved your file and run the following command to import the key into your keyring:

    1. gpg --import workforce_tanda_public_key

  3. To verify the key is stored, run gpg --list-keys and check that a key from Workforce.com Tanda is listed. The list should include a long string of numbers and letters - this is the key's fingerprint. Copy the value to use in the next step.

Encrypt a CSV file

  1. In your terminal, cd into the folder where the CSV file you want to encrypt is saved.

  2. Run the following command to generate an encrypted version of the file:

    1. gpg -a -o <desired_encrypted_file_name.csv.gpg> -r <fingerprint> -e <original_filename.csv>

    2. Example:

      1. The original file is named staff.csv and the encrypted file will be named encrypted_staff.csv.gpg

      2. gpg -a -o encrypted_staff.csv -r ABED888135AC88900EE1789EE -e staff.csv

  3. You can confirm the encrypted file was created by running ls. This will output the list of files in your current directory.

Upload to SFTP server

Upload your encrypted file to your SFTP server. Double check that the file name and folder placement aligns with the import path you specified when setting up the SFTP settings.

Did this answer your question?