sett quick start guide

Initial setup

  1. Install sett following the instructions given in Installing sett on your local computer.

  2. Run sett-gui.

  3. If you do not already possess a private/public PGP key pair, go to the Keys tab and create one following the instructions given in the Generating a new public/private PGP key pair section. You should now see your new key listed in the Private keys and Public keys fields of the Keys tab.

  4. If not already done, download the public key of the recipient with whom you want to exchange data. Go to the Keys tab and click on Download keys, then search for your contact’s key by either entering the email or fingerprint associated with your contact’s key. In all cases, you need to verify the key fingerprint before (or just after) downloading it.

    BioMedIT

    BioMedIT users need to download the SPHN DCC (Data Coordination Centre) public key in order to verify the genuineness of their and other people’s public keys (i.e. all keys used within BioMedIT must be signed by the DCC).

    To download the DCC key, enter the following fingerprint in the Download keys pop-up:

    B37CE2A101EBFA70941DF885881685B5EE0FCBD3
    

    After downloading the key, verify the full name, email address and fingerprint of the key again. Make sure that it is marked as “This key had been verified” (printed in green in the Keys tab when the key is selected in the Public keys list).

    Also make sure that your own key is signed by the DCC. If this is not the case, please request a signature as specified in Requesting a signature/certification from the SPHN Data Coordination Centre.

Getting a recipient’s key

In order to encrypt data for a given recipient, you must first obtain a copy of their public PGP key. Public keys are non-sensitive and can be freely downloaded from a keyserver. Please note however that all public keys must be signed before they can be used to encrypt data with the sett application. Downloading a recipient’s key:

  1. Go to the Keys tab of the sett interface and click on Download key.
  2. A pop-up will appear, were you can search your recipient by name, email, or key fingerprint.
  3. Select the key matching your search criteria, and click Download. The recipient’s key should now be listed under Public keys.

BioMedIT

For BioMedIT users, verify that your recipient’s key has been signed by the DCC. A green text saying “This key has been verified” should be displayed.

sett-gui quick start

Encrypting data

  1. Go to the Encrypt tab of the sett interface.

  2. Add one or more files and directories to encrypt by clicking Add files or Add directories.

  3. Select your own key in the Sender field. This is the key that will be used to sign the data.

  4. Select one or more Recipients by selecting them in the drop-down menu and clicking +. These are the keys that will be used to encrypt the data.

    BioMedIT

    For BioMedIT users, the selected Recipients must be officially approved Data Managers of the project for which data is being encrypted.

  5. DTR ID: specifying a valid Data Transfer Request ID is mandatory for data to be transferred into the BioMedIT network. For data not intended to be transferred into the BioMedIT network, the DTR ID field can be left empty (or set to any arbitrary value), but the Verify DTR ID checkbox must be disabled (see below).

    BioMedIT

    For BioMedIT users, the DTR ID field is mandatory. Only files encrypted with a valid and authorized DTR ID value can be transferred into the secure BioMedIT network. For this reason, BioMedIT users should always leave the Verify DTR ID checkbox enabled.

  6. Verify DTR ID checkbox: by default, Verify DTR ID is enabled and this will enforce the following checks (for data not intended to be transferred into the BioMedIT network, this checkbox should be disabled):

    • DTR ID is valid and the transfer is authorized by the DCC.
    • Sender and Recipients public PGP keys are signed by the central authority defined in the configuration file. By default the central authority is the DCC.
    • Recipients are officially approved Data Managers of the BioMedIT project for which data is being encrypted.
  7. Purpose: purpose of the data transfer, please select either PRODUCTION or TEST. This field is mandatory for data being transferred into the BioMedIT network. For data not intended to be transferred into the BioMedIT network, this field can be left empty.

  8. Compress input data: by default this option is enabled, meaning that sett will compress the input data before encrypting it. If compression is not required, e.g. because the input data is already in a compressed form, then this option can be unchecked.

  9. Click Package & Encrypt to run the encryption workflow on your data.

Transferring data

  1. Go to the Transfer tab of the sett interface.

  2. Select one or more files to transfer using the Add files button.

  3. Select the transfer Protocol to be used.

  4. Enter the required transfer Parameters information depending on the selected protocol. You should have received these from the data recipient or your local BioMedIT node.

  5. Click Transfer selected files to start transferring your files.

    BioMedIT

    For transfers into the BioMedIT network the transfer protocol and associated parameters are provided by your local BioMedIT node.

Decrypting data

  1. Go to the Decrypt tab of the sett interface.
  2. Select one or more files to decrypt using the Add files button.
  3. Specify your desired Output location.
  4. Click on Decrypt selected files to decrypt your files.

sett command line quick start

The main commands to encrypt, transfer and decrypt data with sett CLI are given here. Note that key management is not implemented in the CLI. Please use sett-gui or the gpg command.

# Data encryption:
sett encrypt --sender <sender key fingerprint or email> --recipient <recipient key fingerprint or email> --dtr-id <data transfer ID> --purpose <purpose> --output_name <output file name> <files or directories to encrypt>

# Data transfer.
# to SFTP server:
sett transfer --protocol=sftp --protocol-args='{"host": "HOST","username":"USERNAME", "destination_dir":"DIR", "pkey":"PRIVATE_RSA_SSH_KEY"}' <files to transfer>
# to liquid-files server:
sett transfer --protocol=liquid_files --protocol-args='{"host": "HOST","subject": "SUBJECT", "message": "MESSAGE","api_key":"APIKEY","chunk_size": 100}' <files to transfer>

# Data decryption:
sett decrypt --output_dir=<output directory> <files to decrypt>