After you define a key with the ENCRYPT /CREATE_KEY command,
use this key to encrypt files. Enter the ENCRYPT command. In addition
to the key, specify a plaintext file. The syntax of the ENCRYPT command
is as follows:
ENCRYPT file-spec key-name [ qualifiers ]
where
file-spec
is the plaintext input file specification.
key-name
is the name of the key.
qualifiers
are options that control the
encryption process or the selection of files you want to encrypt.
The following example shows how to define
the key and to encrypt a testfile.txt file with
the defined key using AES and DES algorithms:
$ ENCRYPT/CREATE_KEY/AES MY_AES_KEY16 "My AES Key length>16"
$ ENCRYPT testfile.txt MY_AES_KEY16 /DATA_ALGORITHM=AESCBC128 /KEY_ALGORITHM=AESCBC128
$!
$ ENCRYPT/CREATE_KEY/AES MY_AES_KEY24 "TEST My AES Key length>24"
$ ENCRYPT testfile.txt MY_AES_KEY24 /DATA_ALGORITHM=AESCBC192 /KEY_ALGORITHM=AESCBC192
$!
$ ENCRYPT/CREATE_KEY/AES MY_AES_KEY32 "TEST TEST TEST My AES Key length>32"
$ ENCRYPT testfile.txt MY_AES_KEY32 /DATA_ALGORITHM=AESCBC256 /KEY_ALGORITHM=AESCBC256
$!
$ ENCRYPT/CREATE_KEY MY_DES_KEY "This is My DES Key"
$ ENCRYPT testfile.txt MY_DES_KEY
If an AES key is required, the /DATA_ALGORITHM
and /KEY_ALGORITHM have to be specified with an AES algorithm.
By default, encryption uses the DESCBC
data algorithm, if the /DATA_ALGORITHM qualifier is not specified.
By default, encryption uses the DESCBC
key algorithm, if the /KEY_ALGORITHM qualifier is not specified.
Input File Specification
For the plaintext file specified on the ENCRYPT command line,
use a file that resides on disk and that is not a directory file.
To specify multiple input files, use wildcard characters in
the file specification. To control file selection, specify the appropriate
ENCRYPT command qualifiers. Do not use wildcard characters to specify
directory files or files containing bad blocks.
Output File Specification
The result of the encryption operation is a ciphertext file.
One ciphertext file is created for each input file that is encrypted.
By default, the ENCRYPT command writes each ciphertext file
to a separate output file with the same name except that it has a
version number one higher than that of the current input file.
To specify an alternate output file specification, use the /OUTPUT
qualifier. Specify only the file specification parts that you want
to change from the defaults. For example, the following command encrypts
all the files in the current directory that match the wildcard file
specification *.COM. The /OUTPUT qualifier specifies that any output
files created have a file type of .ENC. FRANCISSCOTT is the key used
to encrypt the files.
$ ENCRYPT *.COM /OUTPUT=.ENC FRANCISSCOTT
Do not specify a file that already exists. For example, you cannot
name the output file NEWS.DAT;2 if NEWS.DAT;2 already exists. However,
specifying NEWS.DAT as both the input and output files is valid.
Displaying Processing Information
By default, information about the encryption operation is not
displayed. To display information about file encryption operations
on SYS$COMMAND, use the /SHOW qualifier. The /SHOW qualifier has the
format:
/SHOW=keyword
or
/SHOW=keyword-list
Specify one or more of the following keywords:
FILES
STATISTICS
FILES Keyword
The FILES keyword displays the file specifications of the input
and output files. For example, /SHOW=FILES in the following command
specifies that each input and output file specification be displayed
as it is encrypted.
Use the STATISTICS keyword to display encryption stream statistics
after the completion of each file operation. The statistics displayed
are:
Bytes processed
Internal records processed
CPU time consumed within the encryption algorithm
The following command specifies that encryption stream statistics
be displayed on SYS$COMMAND.
$ ENCRYPT /SHOW=STATISTICS *.COM FRANCISSCOTT
%ENCRYPT-S-STATISTICS, encryption stream statistics:
Total Records: 65
Total Bytes: 4083
Total Time: 00:00:01.63
.
.
.
Specifying Files to Encrypt
To specify multiple input files, use the ENCRYPT command with
wildcard characters in the input file specification.
The following ENCRYPT command qualifiers can help you select
files:
/BACKUP
/BEFORE
/BY_OWNER
/CONFIRM
/EXCLUDE
/EXPIRED
/MODIFIED
/SINCE
/BACKUP Qualifier
The /BACKUP qualifier selects files for encryption according
to the date of their most recent backup. This qualifier is meaningful
only when used with either the /BEFORE or the /SINCE qualifier. The
/BACKUP qualifier has the format:
/BACKUP /BEFORE[=time]
or
/BACKUP /SINCE[=time]
where
time is an OpenVMS time.
If you do not specify a time, TODAY is used. TODAY is the current
day, month, and year at 00:00:00.
The following command selects for encryption all files in the
current directory matching the wildcard file specification of *.COM
that had backup copies made before 00:00:00 15-APR-2009.
Do not use the /BACKUP qualifier with either the /EXPIRED or
the /MODIFIED qualifier.
/BEFORE Qualifier
The /BEFORE qualifier selects files for encryption that have
a creation time before the time specified with the qualifier. The
/BEFORE qualifier has the format:
/BEFORE[=time]
where
time is an OpenVMS time.
If you do not specify a time, TODAY is used. TODAY is the current
day, month, and year at 00:00:00.
The following command selects for encryption all files in the
current directory matching the wildcard file specification of *.COM
that were created before 00:00:00 15-APR-2009.
$ ENCRYPT /BEFORE=15-APR-2009 *.COM FRANCISSCOTT
/BY_OWNER Qualifier
The /BY_OWNER qualifier allows you to select files for encryption
that have a particular owner User Identification Code (UIC). If no
UIC is specified with the qualifier, the UIC of the current process
is used. The /BY_OWNER qualifier has the format:
/BY_OWNER=uic
where
uic is the UIC of the owner of the file.
The following command selects for encryption all files in the
current directory owned by the user whose UIC is [FLYNN] that match
the wildcard file specification of *.COM.
$ ENCRYPT /BY_OWNER=[FLYNN] *.COM FRANCISSCOTT
/CONFIRM Qualifier
By default, all input files specified on the command line are
processed without confirming that those files are selected for encryption.
Use the /CONFIRM qualifier if you want a prompt with the name of each
file selected for encryption. Your response determines whether or
not a particular file is encrypted, as follows:
Response
Meaning
YES
Encrypt the file.
NO or RETURN
Do not encrypt the file. This
is the default.
QUIT or CTRL/Z
Do not encrypt the file or
any subsequent files.
ALL
Encrypt the file and all subsequent
files.
The following command selects for encryption all files in the
current directory matching the wildcard file specification of *.COM.
Because the /CONFIRM qualifier is specified, the user is prompted
on a file-by-file basis to confirm that each file is to be encrypted.
Because the prompt is answered in the affirmative for the file MOVE.COM;3,
the output file MOVE.COM;4 is created.
Use the /EXCLUDE qualifier to exclude one or more files from
an encryption operation. If a file matches the file specification
provided with the /EXCLUDE qualifier, the file will not be encrypted.
The /EXCLUDE qualifier has the format:
/EXCLUDE=(file-spec[,...])
where
file-spec is the name of the file to remain
unencrypted.
Wildcard characters are allowed in the file specification. There
is no default for the file specification. Because directory files
are never encrypted, you need not specify them with the /EXCLUDE qualifier.
However, if you do specify /EXCLUDE=*.DIR, you will not get the warning
message %ENCRYPT-W-FILNODIR, file encryption of directories
is not supported, filename.dir.
The following command selects for encryption all files in the
current directory that match the wildcard file specification of *.COM,
except LOGIN.COM, which is specified with /EXCLUDE.
$ ENCRYPT /EXCLUDE=LOGIN.COM *.COM FRANCISSCOTT
/EXPIRED Qualifier
The /EXPIRED qualifier selects files for encryption according
to the dates on which they expire. (The expiration date is set with
the SET FILE /EXPIRATION_DATE command.) This qualifier is meaningful
only when used with either the /BEFORE or the /SINCE qualifier. The
/EXPIRED qualifier has the format:
/EXPIRED /BEFORE[=time]
or
/EXPIRED /SINCE[=time]
where
time is an OpenVMS time.
If you do not specify a time, TODAY is used. TODAY is the current
day, month, and year at 00:00:00.
The following command selects for encryption all files in the
current directory matching the wildcard file specification of *.COM
that expire after 00:00:00 15-APR-2009.
Do not use the /EXPIRED qualifier with either the /BACKUP or
the /MODIFIED qualifier.
/MODIFIED Qualifier
The /MODIFIED qualifier selects files for encryption according
to the dates on which they were last modified. This qualifier is meaningful
only when used with either the /BEFORE or the /SINCE qualifier. The
/MODIFIED qualifier has the format:
/MODIFIED /BEFORE[=time]
or
/MODIFIED /SINCE[=time]
where
time is an OpenVMS time.
If you do not specify a time, TODAY is used. TODAY is the current
day, month, and year at 00:00:00.
The following command selects for encryption all files in the
current directory matching the wildcard file specification of *.COM
that were modified after 00:00:00 15-APR-2009.
Do not use the /MODIFIED qualifier with either the /BACKUP or
the /EXPIRED qualifier.
/SINCE Qualifier
The /SINCE qualifier selects for encryption files that have
a creation date after the time specified with the qualifier. The /SINCE
qualifier has the format:
/SINCE[=time]
where
time is an OpenVMS time.
If you do not specify a time, TODAY is used. TODAY is the current
day, month, and year at 00:00:00.
The following command selects for encryption all files in the
current directory matching the wildcard file specification of *.COM
that were created after 00:00:00 15-APR-2009.
$ ENCRYPT /SINCE=15-APR-2009 *.COM FRANCISSCOTT
Deleting Encrypted Files
By default, when the ENCRYPT software encrypts an input file
and writes the resulting output file, the input file is retained.
However, do not encrypt a file and then leave the plaintext file
online if you are concerned about the security of the file.
You can use the DCL DELETE command with the /ERASE qualifier
to remove the contents of the plaintext file from the disk, or you
can use the following qualifiers with the ENCRYPT command:
/DELETE
/ERASE
/DELETE Qualifier
The /DELETE qualifier deletes the input file after the encryption
operation completes and the output file is written and closed. If
you have multiple versions of the input file, they are not all deleted.
/DELETE acts on only the version of the input file that you encrypted.
To delete the unencrypted input file from the disk, use the
/DELETE qualifier. The following command specifies that the SAVEDMAIL.MAI
file be encrypted using the TWENTYFIVECENTS encryption key. Because
the /DELETE qualifier is specified, the input file is deleted after
the encrypted output file is written.
$ ENCRYPT /DELETE SAVEDMAIL.MAI TWENTYFIVECENTS
NOTE: There may be scenarios when the ENCRYPT/COMPRESS command executes without error, but decryption fails. This can be
catastrophic if the /DELETE qualifier is used, deleting the original
BACKUP save-set file during the encrypt operation. Therefore, it is
recommended not to use /DELETE qualifier along with the /COMPRESS
qualifier.
/ERASE Qualifier
When you delete or purge a file, the file's header record
is destroyed so that the file can no longer be accessed by normal
means. The information in the file, however, stays on the disk until
it is overwritten. Disk scavenging is a technique used to obtain such
file data from a disk. To thwart disk scavenging, use the /ERASE qualifier
with the /DELETE qualifier. When you specify /ERASE, the OpenVMS operating
system overwrites the location in which the input file was stored
with the data security pattern. The data no longer exists.
The following command specifies that after SAVEDMAIL.MAI is
encrypted, the input file is erased with the data security pattern
before being deleted.
Files are encrypted using a randomly generated data key. One
benefit of this procedure is that two files identical in plaintext
form and encrypted with the same command are not identical in their
encrypted form.
The Encryption for OpenVMS implementation of DES uses the following
modes of the DES algorithm:
Cipher Block Chaining (DESCBC)
Electronic Code Book (DESECB)
Cipher Feedback (DESCFB)
These modes perform the encryption operation differently, as
follows:
DESCBC (default)
Input is taken in 8-byte blocks.
DESCBC performs an exclusive OR operation (XOR) on
each block. (An XOR is a bit-by-bit modulo-2 addition without carrying.
For example, the result of performing an XOR on the binary numbers
001 and 111 is 110.)
The first XOR operation is performed
on the first block of input and the initialization vector. (An initialization
vector is used to start the chaining of data because there is no ciphertext
to affect the encryption of the first block of data.)
The resulting block is encrypted.
The next XOR operation is performed on the resulting
block of ciphertext and the next block of plaintext, and so on.
If fewer than 8 bytes are left for the last iteration,
the block is padded with bytes of arbitrary value.
Each block of 8 bytes is encrypted under the same
key value.
The DESCBC algorithm is used to encrypt the data key
and the initialization vector. The encrypted key and initialization
vector are stored with the encrypted file. The DESCBC algorithm is
also used by default to encrypt the file data.
DESECB
Input is taken in 8-byte blocks.
If the input consists of less than 8 bytes, it is
padded with nulls.
Each block is processed under the DES algorithm with
the same key.
The result is an 8-byte block of output that is independent
of all other blocks of output.
DESCFB
Input is taken as a series of 1-byte quantities.
They are shifted to the left and concatenated with
the results of previous iterations.
DESCFB uses an initialization vector in the first
iteration.
Only the exact number of bytes specified in the input
are used.
The output byte count equals the input byte count
(no padding).
AES algorithm uses the following modes:
Cipher block chaining:
AESCBC128 (default)
AESCBC192
AESCBC256
Electronic code book:
AESECB128
AESECB192
AESECB256
Cipher feedback:
AESCFB128
AESCFB192
AESCFB256
Output feedback:
AESOFB128
AESOFB192
AESOFB256
For details about the advantages of each mode, see one of the
numerous texts available on this subject.
Encryption Algorithm Qualifiers
You can choose an encryption algorithm
for encrypting either the data key or the file data. Figure 9-1 illustrates the
relationship of encryption keys and algorithms. The figure shows that:
To encrypt the key — use the /KEY_ALGORITHM
or /KEY_ALGORITHM=AESmmmkkk qualifier to specify
an algorithm other than the default DESCBC or AESCBC128 algorithms.
To encrypt the file — use the /DATA_ALGORITHM
or /DATA_ALGORITHM=AESmmmkkk qualifier to specify
an algorithm other than the default DESCBC or AESCBC128 algorithms.
Here, mmm indicates the mode CBC,
ECB, CFB, or OFB; and kkk indicates 128, 192,
or 256 bits.
Figure 9-1 Relationship of Keys and Algorithms
The qualifier you use affects the decryption procedure:
If you use the /DATA_ALGORITHM qualifier to encrypt,
you do NOT need to specify this algorithm when you decrypt.
If you use the /KEY_ALGORITHM qualifier to encrypt,
you DO need to specify this algorithm when you decrypt.
/KEY_ALGORITHM Qualifier
To specify an algorithm other than the default, to encrypt the
key and initialization vector, use the /KEY_ALGORITHM qualifier. This
qualifier has the format:
/KEY_ALGORITHM={DESCBC (default)|AESmmmkkk
For example, the following command uses the DESCFB algorithm
with the TWENTYFIVECENTS key to protect the data key and the initialization
vector.
Specifying AES Data Algorithm and AES Key Algorithm
To select an algorithm other than the DESCBC default when encrypting
files, Encrypt accepts the data and key algorithm qualifiers with
the DCL ENCRYPT command and the key algorithm qualifier with the DECRYPT
command.
When encrypting files with AES, specify both /DATA_ ALGORITHM=AESmmmkkk and /KEY_ALGORITHM=AESmmmkkk:
mmm defines the AES mode: ECB,
CBC, CFB, or OFB
kkk defines the key size: 128,
192, or 256 bits (for 16-, 24- or 32-byte keys)
The key must match the key algorithm. An AES key must be used
with an AES key algorithm, and a DES key must be used with the DES
key algorithm. The data algorithm defaults to DES if the /DATA_ ALGORITHM=AESmmmkkk is not specified for the ENCRYPT command. When
using DES keys and KEY_ALGORITHM=DES, the data is protected with a
strong algorithm, but the key is not.
NOTE: The capability of mixing AES with DES keys and data algorithms
is disabled and any attempt to mix the algorithms results in an ENCRYPT$_AESMIXDES
error condition.
When decrypting files with AES, specify only the /KEY_ ALGORITHM=AESmmmkkk qualifier. The reason for this is that the key
algorithm is used to decrypt the random-key record that contains the
random key, which is then used to decrypt the data records of the
file. Specifying the data algorithm is not necessary and it gives
an unrecognized-qualifier error message.
NOTE: For an encrypt operation, if the /DATA_ALGORITHM=AES is specified
without the /KEY_ALGORITHM, an error occurs. The default algorithm
DESCBC is used to encrypt the random key record that contains the
random key and file information. However, the user key must match
the KEY algorithm; if not, an error occurs. For example, consider
that the key-name is an AES key name and value. When the key is fetched
from the logical name table and then is decrypted with the DES master
key, the key decrypts garbage, and the operation fails with the following
error message:
%STR-F-FATINTERR, fatal internal error
File Compression
To reduce the size of the plaintext file before encrypting it,
use the /COMPRESS qualifier. Data compression can save media space
when physically transporting encrypted files and can save time when
electronically transporting encrypted files across a network.
Compression efficiency depends on the structure of the data
in your file. Evaluate a performance tradeoff when deciding whether
or not to use this qualifier. Decryption is generally faster on a
compressed file, but encryption takes longer. You might choose to
use the /COMPRESS qualifier when the following conditions apply:
The file will be decrypted many times.
The file is at least 200 disk blocks in size.
The following command compresses the SAVEDMAIL.MAI
file before encrypting it.
NOTE: If you use the /COMPRESS qualifier when encrypting a file, you
need not specify this qualifier when decrypting the file. If necessary,
the file is automatically decompressed when it is decrypted.
$ ENCRYPT /COMPRESS SAVEDMAIL.MAI TWENTYFIVECENTS
NOTE: Do not use /DELETE qualifier with /COMPRESS because there may
be scenarios when the ENCRYPT/COMPRESS command
executes without error, but decryption fails. This can be catastrophic
if the /DELETE qualifier is used, deleting the original BACKUP save-set
file during the encrypt operation.
Displaying the Version Number
To identify the version of Encryption software running on your
system, use the /VERSION qualifier. For example:
$ ENCRYPT /VERSION
Copyright (c) Compaq 2001, Digital Equipment Corporation. 1978, 1997. All
rights reserved.
Compaq Encryption V1.6)
