You are the Chief Information security Officer (CISO) of a small medium sized - accounting Services Company. In the last few weeks, senior staff have been complaining that some confidential information has been disclosed via email without any authorisation. You are approached by the Chief Information Officer (CIO) to discuss the issue and see the most appropriate way to tackle this problem. You suspect that some of the employees might be using their technical skills to access sensitive information either from the mail servers or during transmission. To counteract this malpractice, you suggest the CIO the implementation of encryption. Before you actually implement the system, you want to conduct a pilot using the GNU Privacy Guard (GPG) software.
The pilot requires that you install GNU Privacy Guard (GPG) software onto your own computer and complete the following activities.
After installing GPG software onto your own computer, complete the following tasks:
1. Generate your own key-pair by using GPG software and do not create a pass-phrase for your private key (in a real world this is not a good practice. Just for the sake of this assignment, do not create a pass-phrase). You need to use screen-shots to show that you have successfully completed this task. A valid screen-shot is similar to the one shown in Figure 1. Pay attention to the red circles, which demonstrate the success of key pair generation ( 2 marks). 2. Export your public key and paste it into your assignment document. You need to use two screen-shots to show that you have successfully completed this task. One screen-shot is to show the use of gpg command and the other is to show the exported public key. For example, the screen-shot in Figure 2, shows a public key, which is exported into the file: CC-pubkey.txt (2 marks). 3. Explain the steps how to import your Lecturer’s public key from the key-server (your lecturer created a public key and stored it at the MIT PGP Public Key Server). Include in the assignment document the gpg command line, individual options you used and their meaning. As above, use screenshots of website interactions, with accompanying explanations of the screenshots to explain the steps how to import your Lecturer’s public key from the key-server (3 marks). 4. Create an ASCII text file to store your full-name, your student number, and your student CQU email address (please do not use any other email address). Then using your lecturer’s public key, encrypt this text file. The resulting file should also be ASCII armored so that it is readable once decrypted by your lecturer / tutor. Failure to do so will result in loss of marks. Submit the resulting encrypted file along with your assignment solutions document (word document) via the online submission system and following the naming convention given above (3 marks).
An example explaining the steps to export a key
Here is a specific example for explaining the step of exporting a private key, to be imported onto another computer running GPG. Use this example to guide you in how to give explanations in this question.
To export your private key, you need to execute the following gpg command:
The output option specifies the filename in which to write the private key into. Finally, the export-secret-keys option specifies the name of the private key to be exported. The name is given as “Xiao Li”. This option is distinct from the “export” option which exports only public keys.
Now the private key is stored in the file “privkey.txt” unencrypted and can be imported into another version of GPG.
Where required be detailed and specific about your actions explaining exactly what you did, and why you did not. Document the exact GPG commands you have used, and provide an explanation of what the command does, including the individual command line options, and/or provide screenshots of any interactions with websites.
Brendan Kidwell’s practical guide is not the only one available on the Internet. There are plenty of other documents on the Internet that explain how to use GPG for various functions.