Any API gateway or builder comes with PGP encrypt/decrypt?

Kegler

Supremacy Member
Joined
Jun 27, 2000
Messages
5,987
Reaction score
307
looking for a solution with pgp to build my api gateway, any good recommendations?
 

davidktw

Arch-Supremacy Member
Joined
Apr 15, 2010
Messages
13,547
Reaction score
1,301
looking for a solution with pgp to build my api gateway, any good recommendations?

Curiously where is your security end to end for an API GW where PGP make sense? You encrypt your payload at your API GW client, then send over to the API GW for decryption? If so, HTTPS with mutual TLS would have provided the same level of protection.

Unless your encrypted payload is to be decrypted beyond the API GW, then maybe the PGP/GPG approach make more sense. In this case, your API GW don’t even need to understand PGP/GPG.

If you are really looking for one, perhaps Mulesoft

:)
 
Last edited:

Kegler

Supremacy Member
Joined
Jun 27, 2000
Messages
5,987
Reaction score
307
Curiously where is your security end to end for an API GW where PGP make sense? You encrypt your payload at your API GW client, then send over to the API GW for decryption? If so, HTTPS with mutual TLS would have provided the same level of protection.

Unless your encrypted payload is to be decrypted beyond the API GW, then maybe the PGP/GPG approach make more sense. In this case, your API GW don’t even need to understand PGP/GPG.

If you are really looking for one, perhaps Mulesoft

:)
Ya agree with you… not so much for gateway to decrypt but rather an all in one solution that cover gw, decrypt and insert to db
Mulesoft kinda expensive so small medium company won’t look there….looking for some similar with less capabilities
Something quick that SME can use to build their API solution
 

davidktw

Arch-Supremacy Member
Joined
Apr 15, 2010
Messages
13,547
Reaction score
1,301
Ya agree with you… not so much for gateway to decrypt but rather an all in one solution that cover gw, decrypt and insert to db
Mulesoft kinda expensive so small medium company won’t look there….looking for some similar with less capabilities
Something quick that SME can use to build their API solution
If you really want PGP/GPG and it is done by your own solution at the client-end and app/server-end, then you can just use any API G/W.
I know the following:
  1. Tyk OSS(https://tyk.io/open-source/)
  2. Kong(https://konghq.com/install/#kong-community)
  3. NginX(https://www.nginx.com/blog/deploying-nginx-plus-as-an-api-gateway-part-1/)
Any of the above will provide you with a starting point.
Using PGP/GPG, the exchange of the public key is an offline operation between the web services client and app/server-end. The API G/W can don't participate at all.
If you are searching for simplicity, I actually don't quite understand why you want to dab into PGP/GPG since most solution out there today uses OAuth/JWT for authentication and access control. Your bearer token in the HTTP headers, while handshaking with the API G/W will do and this are common knowledge among numerous implementors using API G/W too. Using PGP/GPG is really uncommon.

To sure payload between the client and the API G/W, HTTPS will suffice. You want endpoint to endpoint beyond the client and the API G/W, then consider PGP/GPG.
If you are willing to share more details in your goals, then perhaps I can advise more. Otherwise this is as much as I can provide at the moment.

:)
 

Kegler

Supremacy Member
Joined
Jun 27, 2000
Messages
5,987
Reaction score
307
I totally understand your point and agree 😉
Some banks integration are still using pgp to encrypt the payload

im really looking for an all in one solution for sme to easily build where they could encrypt their payload and interface with the bank. Something like an adapter where sme could easily integrate into their solution. Pgp encrypt payload is really uncommon which is why I’m looking for easy way out for such customers

after google for weeks and response from you I guess this doesn’t exist
 

davidktw

Arch-Supremacy Member
Joined
Apr 15, 2010
Messages
13,547
Reaction score
1,301
I totally understand your point and agree 😉
Some banks integration are still using pgp to encrypt the payload

im really looking for an all in one solution for sme to easily build where they could encrypt their payload and interface with the bank. Something like an adapter where sme could easily integrate into their solution. Pgp encrypt payload is really uncommon which is why I’m looking for easy way out for such customers

after google for weeks and response from you I guess this doesn’t exist
Kinda confused with which tier of the entire ecosystem you are tackling.

I know NETS uses PGP (https://silo.tips/download/a-better-way-to-pay-unified-merchants-api-umapinet-integration-manual).

But you are asking about API G/W as your solution. If I understand it properly how "this" API G/W will be placed it should looks something like this

MERCHANT(SME) ---> YOUR API G/W ----> PAYMENT G/W API G/W

From YOUR API G/W, PAYMENT G/W API G/W will be the backend servers behind YOUR API G/W. If you are trying to alleviate the PGP complexities from the MERCHANT, then YOUR API G/W will be part of the infrastructure of the MERCHANT. Otherwise it may not be a secure ENDPOINT-2-ENDPOINT solution.

If that is the case, PGP at the API G/W is not really what you should be looking for. PGP at API G/W implementation is AA between the END-USER and the API G/W, which is between MERCHANT and YOUR API G/W.

You have emphasised one-stop solution, hence I'm not sure one-stop from whose perspective exactly. If it is the merchant one-stop solution that you are providing, then it seems what you are trying to do is to provide 2nd-tier solution where the PAYMENT G/W is your partners. You are providing payment solution on behalf of your payment G/Ws partners to other merchants.

Correct me if I have got your architecture wrongly.

If what you are providing is YOUR API G/W solution where it communicate with other PAYMENT G/W using PGP. Then simply you can implement it using Spring Framework (if you are on Java stack) providing REST WS, or other REST WS frameworks at your disposal. The authentication layer can be just OAuth2 for simplicity. The PGP key is stored at this middleware tier.

Thanks
:)
 
Last edited:
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ Forums. Forum members and moderators are responsible for their own posts. Please refer to our Community Guidelines and Standards and Terms and Conditions for more information.
Top