<div>
It's public keys exchange that we need instructions on.<br />
<br />
We encrypt sensitive files that we send over to our outsource provider who will use the key (presume it's public key) to decrypt at their application end (ie end to end encryption using PGP).
</div>


<div>
attached is our best effort documentation (must say it's vague &amp;&nbsp;may be incomplete) captured just prior to the staff leaving.<br />
<br />
The pages on the 2nd half onwards (ie post generation of the keys) are the doubtful part of what we need to do, especially at the remote outsource provider's end.
</div>


<div>
The documentation upload failed to go through: I'll reattempt in 9 hours' time
</div>


<div>
Attached this time the work instructions: &nbsp;outsource provider told me they only need the private key for their applications to read (which confuses me further)<br />
<a href="https://filedb.experts-exchange.com/incoming/2018/01_w05/1266756/Generate_New_PGP_KeysampleSteps2.docx" target="_blank" class="file-inline" title="Current work instruction (2.3 MB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>Generate_New_PGP_KeysampleSteps2.docx</a>
</div>


Generate_New_PGP_KeysampleSteps2.docx

<div>
not very clear in the document. But it seems like once the pgp key pair is generated, that keypair is supposed to give to the outsourced vendor and future correspondence will be based on that public key to encrypt for the outsourced vendor to decrypt using the private key. The private key is protected using a password. So there must be a mean to get this across to the vendor so that they can use the private key for decryption. The EmbossAdmin seems to means to exchange this password with the vendor, those csenv.ini and getpass.ini are just the encrypted password. Eventually the auto retrieve bat file is another unknown where by the PAN details are downloaded and may be used to encrypt and shared with vendor .<br />
<br />
.. It is actually the business logic and hard to determine based on the flow only.. ultimately the principle of key generation, key sharing out of band and having preshared secret and data encrypt/decrypt seems to be in the regime again so not much can be comments knowing the flow - better to draw up the chart
</div>


<div>
Similar to btan, the fact that the PGP of the receiver is generated on the sending side means lack of security.<br />
<br />
Why doesn't the receiver generate their own and provide the public to the sender. This way, the sender does not have the private to decrypt..<br />
<br />
It would be similar to every year the locks on an external storage location have to be changed, but instead of having those at the remote, the people whose records/information should be stored would go to the external storage change locks, and provide the keys ......<br />
<br />
think of it this way, you are shipping a container.<br />
One option, is the remote side sends you a lock to which they have a key, or you go and buy a lock and mail them the key separately.<br />
<br />
Make sure to create a revocation of the existing, but that would require that you have access to the old/current private key.
</div>


<div>
Agree with expert. Ownership need to be clear especially the source is on the vendor and you on receiving end mostly. There would be a trusted CA but you are using pgp and also not using any key server, so management of key is really adhoc and as and when informed of key status. Have them to owner the keys and contractually have this clarity.
</div>


<div>
<div class="content wysiwyg-content">
A few staff left the company &amp;&nbsp;there's no &nbsp;handover/documentation.<br />
<br />
I was told by one colleague that placing it in the incorrect folder for the apps to read is one of the<br />
main challenges :<br />
we have a few sites with our outsource providers ie it may differ in folder locations for different<br />
apps.<br />
<br />
Can someone provide step by step instruction on how to generate new keys (it's required yearly <br />
by Audit) &amp;&nbsp;send over to remote end &amp;&nbsp; how to check where to place them in right place for decrypting<br />
(&amp; if there's steps to decrypt it, let me know).<br />
<br />
It's all on Win 7 and Win 2008 R2
</div>
</div>


A few staff left the company & there's no  handover/documentation.

I was told by one colleague that placing it in the incorrect folder for the apps to read is one of the
main challenges :
we have a few sites with our outsource providers ie it may differ in folder locations for different
apps.

Can someone provide step by step instruction on how to generate new keys (it's required yearly 
by Audit) & send over to remote end &  how to check where to place them in right place for decrypting
(& if there's steps to decrypt it, let me know).

It's all on Win 7 and Win 2008 R2

steps of generating &amp; renewing PGP keys

Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. In an encryption scheme, the intended communication information or message, referred to as plaintext, is encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients, but not to unauthorized interceptors.

Encryption

Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.

OS Security

Security is the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. The main goal of security is protecting assets, and an asset is anything of value and worthy of protection.  Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability or CIA for short. On the other hand, disclosure, alteration, and disruption (DAD) compromise the security objectives.

steps of generating &amp; renewing PGP keys

steps of generating & renewing PGP keys