For data encryption and signing, Workday supports
PGP (Pretty Good Privacy), a public key encryption standard. PGP provides an
asymmetric key encryption scheme; each entity has a key pair, and each pair
consists of one public key and one private key. The public key is used to
encrypt data and verify digital signatures, and the corresponding private key
is used to sign files and decrypt data. The public key is intended to be provided
to entities that will encrypt data only for you, so distributing your public
key is not a security concern. Data encrypted with your public key can be
decrypted only with your private key.
Workday can encrypt outbound and decrypt inbound
Cloud Connect, Studio, and EIB (Enterprise Interface Builder) integration files
using PGP; Workday can also digitally sign outbound integration files. This
ensures that only you and your trading partners can read the data that you
exchange, and allows your trading partner to confirm that an outbound
integration file came from you. You store all PGP keys in your tenant; this
enables (and requires) that you maintain your own encryption keys to ensure
that you and your trading partners can secure your integration traffic.
PGP Keys can be created in Workday.
· For inbound integrations: if the file is to be opened by the Workday tenant,, we need to create the key (store the private key) in Workday and give the public key to anyone who needs to encrypt for Workday. Example is Benefits, 401K loan payments data, that is inbound.
· For outbound integrations: if Workday is sending the encrypted file, we need to get the public key and use that to encrypt files. The destination system will then use their private key to un-encrypt it, open and read the file. Example is Payroll sync file going to ADP.
For additional information on PGP Certificates in
Workday, refer to the following Community documentation: