OpenPGP Nodes for n8n

Introduction

The /n software n8n nodes extend n8n with powerful integration capabilities backed by the /n software node library. These nodes allow workflows to securely exchange data with external systems using proven Internet protocols and services.

Two commonly used nodes for message encryption, signing, decryption, and/or verification are the OpenPGP Encoder and OpenPGP Decoder nodes:

  • The OpenPGP Encoder node is used to sign and/or encrypt data within an n8n workflow.
  • The OpenPGP Decoder node is used to decrypt OpenPGP messages and verify digital signatures within an n8n workflow.

The OpenPGP nodes support both keyring-based and individual key-based configurations, as well as symmetric encryption/decryption. Keys may be provided directly (ASCII-armored) or loaded from files or directories on disk. Both nodes implement OpenPGP functionality internally and do not require external dependencies. This article provides an overview of both nodes, their basic configuration, and common usage patterns.

Node Installation

Before proceeding, please ensure that the /n software n8n nodes have been installed successfully. For instructions on how to install the /n software n8n nodes, please refer to the installation guide here. Afterwards, assuming the mentioned node location is populated, simply restart your n8n server instance, and the /n software nodes should be searchable via the n8n UI.

OpenPGP Encoder Node

The OpenPGP Encoder node takes input data (either from a file or binary data from other nodes) and generates a signed and/or encrypted OpenPGP message. A typical workflow might generate a file, pass it to the OpenPGP Encoder node, and send the resulting encrypted file via SFTP, email, or another node/API.

The behavior of the encoder is mainly controlled by two properties:

  • EncryptData - When enabled, the provided input data will be encrypted (enabled by default).
  • SignData - When enabled, the data will be digitally signed (disabled by default).

Encryption

When encrypting, there are a few different ways to specify the recipient keys to use for encryption, via either the RecipientKey, HomeDir and RecipientUserId, or PGPParams properties.

When using an individual PGP public key, the RecipientKey should be set to the string representation of the PGP public key. If the key is stored in a key file, then this property should be set to the path to that file; alternatively, the ASCII-armored key data can be set directly in this property.

When using a keyring, you can set the HomeDir property to the path to the keyring directory. In this case, if multiple keys are present within the keyring directory, the RecipientUserId property can be specified to select a specific key from the keyring (otherwise, the first key will be selected).

Lastly, the PGPParams property may be utilized if the message is intended for multiple recipients, and multiple keys therefore need to be specified (for a full list of possible parameters, please refer to the product documentation). This property can be used to specify multiple values, separated by a newline. For example, to specify multiple recipient keys in a given directory, this could look like:

homedir=C:\path\to\keyring\ recipient-userid[0]=test test@test.com recipient-userid[1]=test2 test2@test2.com

Signing

When signing, there are a few different ways to specify the signer keys, via either the Key, HomeDir and UserId, or PGPParams properties.

When using an individual PGP private key, the Key should be set to the string representation of the PGP private key. If the key is stored in a key file, then this property should be set to the path to that file; alternatively, the ASCII-armored key data can be set directly in this property. The Passphrase property must be specified in this case, assuming the private/secret key has one.

When using a keyring, you can set the HomeDir property to the path to the keyring directory. In this case, if multiple keys are present within the keyring directory, the RecipientUserId property can be specified to select a specific key from the keyring (otherwise, the first key will be selected). The Passphrase property must be specified in this case, assuming the private/secret key has one.

Lastly, the PGPParams property may be utilized (for a full list of possible parameters, please refer to the product documentation). For example:

homedir=C:\path\to\keyring\ userid=test test@test.com passphrase=testpgp

Input and Output

Input data to encrypt and/or sign is either specified via the InputFile property (specifying a path to a file on disk), or provided as binary data from the workflow if the input file is not specified.

After the node executes successfully, the output is passed either to the path specified by the OutputFile property or passed as binary data to the workflow if the output file is not specified.

Additional Configs

Aside from key-related and IO-related properties, there are a few other commonly used properties:

  • ASCIIArmor - Controls whether the output is ASCII-armored (enabled by default).
  • CompressionMethod - Specifies the compression algorithm used when generating output. Possible values: zip (default), zlib, bzip2, none
  • EncryptingAlgorithm - Specifies the encryption algorithm used when encrypting data. Possible values: AES128 (default), AES192, AES256, CAST5, 3DES (or TripleDES), BLOWFISH, TWOFISH, IDEA
  • SigningAlgorithm - Specifies the signature hash algorithm used when signing. Possible values: SHA256 (default), SHA384, SHA512, SHA1, MD5, SHA224, RIPEMD160
  • SymmetricPassphrase - Specifies the password used for symmetric decryption. In this case, no keys are used for decryption (note, this is set via the Other property, unlike the above properties).

OpenPGP Decoder Node

The OpenPGP Decoder node takes encrypted/signed OpenPGP messages, and provides decrypted output and/or verifies signatures attached to the message. A typical workflow might receive an encrypted file via FTP, SFTP, etc., pass the file to OpenPGP Decoder, and process the decrypted payload in downstream nodes.

The decoder will automatically detect whether the incoming message is encrypted and/or signed.

Decryption

When decrypting, there are a few different ways to specify the keys to use for decryption, via either the Key, HomeDir and UserId, or PGPParams properties.

When using an individual PGP private key, the Key should be set to the string representation of the PGP private key. If the key is stored in a key file, then this property should be set to the path to that file; alternatively, the ASCII-armored key data can be set directly in this property. The Passphrase property must be specified in this case, assuming the private/secret key has one.

When using a keyring, you can set the HomeDir property to the path to the keyring directory. In this case, if multiple keys are present within the keyring directory, the UserId property can be specified to select a specific key from the keyring (otherwise, the first key will be selected). The Passphrase property must be specified in this case, assuming the private/secret key has one.

Lastly, the PGPParams property may be utilized if the message is intended for multiple recipients, and multiple keys therefore need to be specified (for a full list of possible parameters, please refer to the product documentation). This property can be used to specify multiple values, separated by a newline. For example, to specify multiple recipient keys in a given directory, this could look like:

homedir=C:\path\to\keyring\ userid=test test@test.com passphrase=testpgp

Signature Verification

When verifying a signature, there are a few different ways to specify the signer keys, via either the SignerKey, HomeDir and SignerUserId, or PGPParams properties.

When using an individual PGP public key, the SignerKey should be set to the string representation of the PGP public key. If the key is stored in a key file, then this property should be set to the path to that file; alternatively, the ASCII-armored key data can be set directly in this property.

When using a keyring, you can set the HomeDir property to the path to the keyring directory. In this case, if multiple keys are present within the keyring directory, the SignerUserId property can be specified to select a specific key from the keyring (otherwise, the first key will be selected).

Lastly, the PGPParams property may be utilized (for a full list of possible parameters, please refer to the product documentation). For example:

homedir=C:\path\to\keyring\ signer-userid[0]=test test@test.com signer-userid[1]=test2 test2@test2.com

Input and Output

Input data to decrypt and/or verify is either specified via the InputFile property (specifying a path to a file on disk), or provided as binary data from the workflow if the input file is not specified.

After the node executes successfully, the output is passed either to the path specified by the OutputFile property or passed as binary data to the workflow if the output file is not specified.

Additional Configs

Aside from key-related and IO-related properties, there are a few other configuration settings that may be set via the Other property:

  • RequireEncryption - When enabled, this requires the input message to be encrypted, and an error will be thrown if the message is not encrypted. This is disabled by default.
  • RequireSignature - When enabled, this requires the input message to be signed, and an error will be thrown if no signature is present. This is disabled by default.
  • SymmetricPassphrase - Specifies the password used for symmetric decryption. In this case, no keys are used for decryption.

To set these configs, they may be specified via the Other property, each setting specified on a newline. To do so, simply change the type of the property to 'Expression' and specify one or more settings. For example:

RequireEncryption=true RequireSignature=true SymmetricPassphrase=testpassword

We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at support@nsoftware.com.

Copyright © 2026 /n software, Inc.
Contact
Terms of Use
Privacy Statement