Expert Consultancy from Yellow Pelican


A site about Talend


If you're new to Public-key Cryptography, you'll soon come to learn that it sometimes requires a little bit of practice with Public-keys, Private-keys and pass phrases. You'll want to get the basics right first, before you embark on encryption and decryption within Talend.

At first glance, it may seem a little odd that Talend supports GNU Privacy Guard (GnuPG) decryption; but does not appear to support any form of encryption. As you come to understand Talend's support for Cryptography, you'll come to realise that this is less significant than it first appears.

Getting GPG Basics Right

As previously discussed, you'll first of all want to get the basics of your Cryptography right before you start implementing Cryptography within Talend. This, more than likely, means that you'll be using GNU Privacy Guard (GnuPG).

The fundamentals of GNU Privacy Guard (GnuPG) are outside the scope of this documentation and there are plenty of resources that will guide you through its implementation. There's an excellent GPG Quick-start Guide which should get you up and running in minutes.

Depending on your requirements, you need to get yourself to the point where you can encrypt and/or decrypt your chosen file, at the Command Prompt, logged in with the account that will be running your Talend Job.

When this is achieved, you'll know that you have the basics of your Cryptography working correctly.

Talend Support for Cryptography

Talend supports GNU Privacy Guard (GnuPG) through the tGPGDecrypt component; but appears to have no direct support for encryption (I believe there is an encryption component on the Talend Exchange; however, I have not reviewed this).

Although this may seem a little odd, understanding Talend's support for GNU Privacy Guard (GnuPG) shows that this is not really a significant short coming.

tGPGDecrypt Component

Let's take a look at the tGPGDecrypt component, to understand how it works. We can immediately see from the image below that this component takes four parameters with, most notably, GPG binary path being set to a default value of "/usr/bin/gpg". What this immediately tells us is that, rather than having built-in support for decryption, Talend is simply making an Operating System Call to the program gpg and passing appropriate parameters. To prove this and to see the exact call that is being made, we could replace this command with one of our own.

Image 1

Let's change the call, so that when we run our Job, we call our own script rather than "/usr/bin/gpg". It's a simple script, that will display the parameters that are passed to it.

For our example, we'll create a Unix-style script. If you're working in a Windows environment, you can create a similar styled script, using appropriate syntax. Create a new script, for example, /tmp/mygpg and add the line echo ${*}. Make the script executable chmod u+x /tmp/mygpg and alter the value of GPG binary path so that it calls your new script "/tmp/mygpg".

Now run your Job. You should see output displayed that is similar to that shown below.

--yes -q -d --passphrase mypassphrase -o /Applications/TOS_DI-r100420-V5.3.0RC1/workspace/message.txt /Applications/TOS_DI-r100420-V5.3.0RC1/workspace/message.txt.asc

As can be seen from the above example, for decryption, Talend is simply making an Operating System Call to the program gpg and passing both your parameters and some predefined ones.

In many cases, you should find that this call meets your needs; however, you may not always find that this pre-configured call meets your requirements and that you're unable to decrypt your file through component configuration alone. Now that we understand how this component works we can see that we are able to modify the value of GPG binary path so that we could call our own wrapper script to gpg or any other decryption program and that we can make custom calls as required. We could, of course, also use the tSystem component to make our calls.


When it comes to encryption, and having no pre-configured component to use, we simply use the tSystem component to make our call to gpg, or our own wrapper script (if the need arises), and we pass appropriate values.

Here's an example of a simple call, to encrypt a text file. You may find that you need to pass additional parameters, for example, to tell gpg if an existing file should be overwritten.

gpg --encrypt --recipient 'a_recipient' foo.txt

This command should result in a new file being created foo.txt.gpg


Using GNU Privacy Guard (GnuPG), and more importantly using it with Talend, is not difficult; however it does take a little effort to get it right.

Remember that these are examples only. Parameters, especially passphrases, should be not be hard-coded in your Talend Jobs. Read our tutorial on Loading Context from a File; however, you should also consider your own security policy within your organisation.

Expert Consultancy from Yellow Pelican
comments powered by Disqus