For data encryption and signing, Workday supports PGP (Pretty Good Privacy), a public key encryption standard. PGP provides an asymmetric key encryption scheme; each entity has a key pair, and each pair consists of one public key and one private key. The public key is used to encrypt data and verify digital signatures, and the corresponding private key is used to sign files and decrypt data. The public key is intended to be provided to entities that will encrypt data only for you, so distributing your public key is not a security concern. Data encrypted with your public key can be decrypted only with your private key.

Workday can encrypt outbound and decrypt inbound Cloud Connect, Studio, and EIB (Enterprise Interface Builder) integration files using PGP; Workday can also digitally sign outbound integration files. This ensures that only you and your trading partners can read the data that you exchange, and allows your trading partner to confirm that an outbound integration file came from you. You store all PGP keys in your tenant; this enables (and requires) that you maintain your own encryption keys to ensure that you and your trading partners can secure your integration traffic.

PGP Keys can be created in Workday. 

·       For inbound integrations: if the file is to be opened by the Workday tenant,, we need to create the key (store the private key) in Workday and give the public key to anyone who needs to encrypt for Workday. Example is Benefits, 401K loan payments data, that is inbound.

·       For outbound integrations: if Workday is sending the encrypted file, we need to get the public key and use that to encrypt files. The destination system will then use their private key to un-encrypt it, open and read the file. Example is Payroll sync file going to ADP. 

For additional information on PGP Certificates in Workday, refer to the following Community documentation:

 https://community.workday.com/doc/int/dan1370796399717