0%

DDC PGP Encryption Standards for Secure File Transfers

DDC PGP Encryption Standards for Secure File Transfers

Last updated: January 2026

Overview

To protect client data and maintain compliance with modern security requirements, DDC uses OpenPGP encryption for all automated file exchanges, including HR data, payroll files, pledge files, contribution receipts, eligibility files, and any recurring SFTP/FTP data feeds.

DDC enforces a security baseline using GnuPG 2.4, which provides modern cryptography, strict key validation, and long‑term compatibility.

What This Means for You

1. Your PGP Key Must Be Compatible With GnuPG 2.4

DDC can accept and use your public encryption key only if it successfully encrypts under GnuPG 2.4 (our production encryption engine).

A key that passes this compatibility test is considered:

Valid (Approved)

  • Encryption works under GnuPG 2.4

  • Key can be used for all production automations

  • No further action required

2. Keys That Need Attention

Some older keys may fail under modern cryptographic standards. If your key falls into one of the categories below, DDC will notify you.

⚠️ Legacy (Non‑Compliant — Requires Rotation)

This occurs when:

  • Your key works in older tools (like GnuPG 2.2 or Symantec/Broadcom PGP)

  • But fails in GnuPG 2.4

Common causes include:

  • Legacy PGP packet formats

  • SHA‑1 self‑signatures

  • Older encryption algorithms or key flags

Action required:
Please generate and send DDC a new, modern OpenPGP key.

Invalid (Rejected)

DDC cannot use your key if:

  • It fails encryption in both GnuPG 2.4 and GnuPG 2.2

  • It is expired or revoked

  • It lacks an encryption‑capable subkey

  • It uses unsupported or weak crypto

Action required:
A new key must be generated.

3. Expired Keys Cannot Be Used

Expired keys are treated as invalid for production encryption.

If encryption only works when bypassing expiration (during testing), we will notify you:

“Your key would work, but it is expired. Please renew or replace it.”

Expiration bypass is never allowed in production.

How to Send Your Key to DDC

You may provide your public key via:

  • Secure email attachment (ASCII‑armored .asc format preferred)

  • SFTP upload location

  • Encrypted email or secure file exchange platform approved by your internal IT/IS team

Upon receipt, DDC will:

  1. Import the key into our GnuPG 2.4 keyring

  2. Perform compatibility checks

  3. Notify you of approval or required changes

Why We Enforce These Standards

DDC recently migrated to a modern encryption stack as part of our cloud and security modernization efforts. Older keys that previously worked on legacy encryption systems may now fail due to strengthened security requirements.

This ensures:

  • Stronger cryptographic protection

  • Long‑term compatibility

  • Consistent automation reliability

  • Compliance with industry security policies

FAQs

Q: My key worked with your system before. Why do I need a new one?

Our upgraded encryption engine (GnuPG 2.4) enforces modern security requirements. Some older keys cannot meet those requirements and must be rotated.

Q: Can DDC generate a key for us?

For files DDC sends to the customer, No. For security reasons, keys must be generated and maintained by the client. We can provide guidance but cannot generate or manage your keys.

Q: How long does validation take?

Validation is fast — typically within one business day after receiving your key.

Q: Do all of our files sent to DDC need to be PGP‑encrypted?

Yes. HR, payroll, pledge, eligibility, receipts, and recurring data files must all be PGP encrypted before transmission.

Need Assistance?

If you need help generating a new key or have questions about file exchange encryption, please reach out to ondemand@ddcpublicaffairs.com or your dedicated DDC project team or account manager. We can walk you through the requirements and confirm compatibility quickly.

0%