Encryption at rest
Through our SFTP Encryption at Rest feature, clients can store their staff and leave balance data in an encrypted format on their SFTP server.
The feature can be turned on for individual integrations that have configurable SFTP Settings in Workforce.com. The feature uses PGP/GPG key pairs to handle the encryption/decryption process.
How to enable the feature
Visit the Edit page for an integration with configurable SFTP settings
Clock on "Show Advanced Options" to edit the SFTP settings
If the core fields such as host, username, and import paths are not already configured, complete these fields. You can find more details on this process in our SFTP for Payroll guide.
Once your primary fields are entered, select the Encryption at Rest checkbox to turn on the setting
If you plan to use the SFTP encryption at rest for staff imports, also select the "Auto Import Staff" option.
Note: This process involves some interaction with your computer's terminal. A basic understanding of commands, like
cd, will be helpful.
Install GnuPG/GPG Library
You will need the GnuPG / GPG library installed on your computer to encrypt files.
gpgis installed on your computer and install it if not:
Open your terminal and run:
If this returns a version number, move on to step 2
If no version number returns, you'll need to install the library
You can verify the install worked by running
Import our public key into your GPG keyring
When you turn on the Encryption at Rest setting for an integration, you will see a link to download a copy of our public key. Download this key file to your computer.
It should be named workforce_tanda_public_key. If you rename it or it saves with a different name/extension, use that file name in the next step.
In your terminal use the
cd(change directory) command to navigate into the folder where you saved your file and run the following command to import the key into your keyring:
gpg --import workforce_tanda_public_key
To verify the key is stored, run
gpg --list-keysand check that a key from Workforce.com Tanda is listed. The list should include a long string of numbers and letters - this is the key's fingerprint. Copy the value to use in the next step.
Encrypt a CSV file
In your terminal,
cdinto the folder where the CSV file you want to encrypt is saved.
Run the following command to generate an encrypted version of the file:
gpg -a -o <desired_encrypted_file_name.csv.gpg> -r <fingerprint> -e <original_filename.csv>
The original file is named staff.csv and the encrypted file will be named encrypted_staff.csv.gpg
gpg -a -o encrypted_staff.csv -r ABED888135AC88900EE1789EE -e staff.csv
You can confirm the encrypted file was created by running
ls. This will output the list of files in your current directory.
Upload to SFTP server
Upload your encrypted file to your SFTP server. Double check that the file name and folder placement aligns with the import path you specified when setting up the SFTP settings.