AppSuite:Updating To Guard PGP

Guard Update

Starting with Guard 2.0, the proprietary Guard format is discontinued in favor of PGP encryption. The proprietary format is still supported for decoding/reading, but all future encryption will be done with PGP compliant encryption.

The upgrade from 1.2 to 2.0 requires database modification and data population. During the update, Guard 1.2 servers can continue to operate. During the alter tables, no additional Guard members can be added, but users can continue to encrypt and decode items. After the alter table is complete, a data population phase begins. During this phase, lookup tables are created for the existing PGP public keys. Depending on the number of users, this may take a while, but there will be no impact on the functioning Guard 1.2 servers.

The database upgrade is required for Guard 2.0 to function, but Guard 1.2 will function without issue on the updated database.

Guard Upgrade Process

Install Guard 2.0 on the server you would like to do the upgrade. The file should reflect all of the database and REST API settings as before. There have been some changes in the file (addressed below), but there are no changes required for the update process

Step 1: Test installation

Once the installation is complete, it is often best to test that Guard is configured properly and able to communiate with the OX backend. Use an email address that is a user on the OX system...for this example, we'll use

On command line:

/opt/open-xchange/guard/sbin/guard test

Guard should return a result similar to

 Response received.  Testing JSON
 {"":{"uid":13,"user":{"language":"en_US","displayName":"John Smith"},"cid":10}}
 User id 13
 Context 10
 Language en_US
 Name John Smith

If you do not get a "Success", then check the logs and file for a configuration issue.

Step 2: Upgrade

Once the installation is verified, the upgrade process can begin.

On command line:

/opt/open-xchange/guard/sbin/guard upgradePGP

This will begin the upgrade process. First, the required database alter function are performed. This is the only stage that locks the tables. During this process, no additional Guard users can be created.

Once this is done, then the lookup tables are populated. Progress will be written to the console.

Once complete, the database upgrade is finished.

Step 3: Configuration File

There are some minor changes to the Guard backend's file. This file will have to be altered on each of the Guard servers when they are each updated.

PGP lookup

When a user tries to send a PGP email to a recipient, Guard will check configured public key servers for the recipients PGP Public key. You can configure which servers are used in a comma deliminated list.

com.openexchange.guard.publicPGPDirectory = hkp://, hkp://

External Email URL

The URL for the external guest reader has been changed. The value can now be configured through the configuration cascade so that a custom domain can be used for each context. The file contains the default value if the configuration cascade is not present

This value will be used as the default unless over-written by cascade value com.openexchange.guard.externalReaderURL

Finally, each PGP email is also sent with a help file that explains what PGP is, and how to log onto Appsuite to view the email. The domain for appsuite should be configured here

Step 4: Start

Start Guard 2.0 using (Debian)

/etc/init.d/open-xchange-guard start