VMS Help  —  ENCRYPT
    There are four ENCRYPT commands:

    ENCRYPT                   Encrypts files. Before you enter
                              this command, create a key with the
                              ENCRYPT /CREATE_KEY command.

    ENCRYPT /AUTHENTICATE     Checks for changes to either plain
                              text or cipher text files (see
                              /AUTHENTICATE).

    ENCRYPT /CREATE_KEY       Defines a key to be used during
                              encryption (see /CREATE_KEY).

    ENCRYPT /REMOVE_KEY       Deletes a key definition from a key
                              storage table (see /REMOVE_KEY).

    Format for the ENCRYPT Command

      ENCRYPT  input-file key-name [qualifiers]

1  –  Parameters

 input-file

    File names of the files to encrypt. If you use wildcard
    characters, do not include directory files or files with bad
    blocks.

 key-name

    Key name previously stored in the key storage table with the
    ENCRYPT /CREATE_KEY command.

2  –  Qualifiers

2.1    /BACKUP

       /BACKUP[=time]

    Selects files according to the dates of their most recent backup.

    This qualifier is relevant only when used with the /BEFORE or the
    /SINCE qualifier. In addition, do not use /BACKUP with /EXPIRED
    or /MODIFIED.

    If you omit time, TODAY is used. For more information on time
    specifications, see the OpenVMS User's Manual.

2.2    /BEFORE

       /BEFORE[=time]

    Selects files that have a creation time before the time you
    specify.

    If you omit time, TODAY is used. For more information on time
    specifications, see the OpenVMS User's Manual.

2.3    /BY_OWNER

       /BY_OWNER[=uic]
       /NOBY_OWNER

    Selects files with the owner UIC you specify.

    If you omit uic, the UIC of the current process is used. For
    more information on specifying UIC format, see the OpenVMS User's
    Manual.

2.4    /COMPRESS

       /COMPRESS
       /NOCOMPRESS

    Optional. Default: /NOCOMPRESS.

    Controls whether or not data compression occurs before a file is
    encrypted.

2.5    /CONFIRM

       /CONFIRM
       /NOCONFIRM

    Controls whether or not a confirmation request is displayed
    before each encryption, as follows:

    Response         Meaning

    YES              Encrypts the file
    NO or <Return>   Does not encrypt the file (default)
    QUIT or          Does not encrypt the file or any subsequent
    <Ctrl/Z>         files
    ALL              Encrypts the file plus all subsequent files

2.6    /DATA_ALGORITHM

                        { DESCBC (default) }
       /DATA_ALGORITHM= { AESmmmkkk        }
                        {                  }

    Where mmm is the mode CBC, ECB, CFB, or OFB; and kkk is 128,
    192, or 256 bits. Cipher Block Chaining (CBC) and Electronic Code
    Book (ECB) are 16-byte block modes, meaning blocks are padded to
    16 bytes if necessary during encryption. The padding is removed
    during decryption. Cipher Feedback (CFB) and Output Feedback
    (OFB) are 8-bit character stream mode emulation, useful in data
    communications and where no padding is required.

    Note that /DATA_ALGORITM=AES is a shortcut for specifying
    AESCBC128.

    The data algorithm is used with the randomly generated key to
    perform encryption of the file's data. When specifying an AES
    algorithm, specify both /KEY and /DATA=AESmmmkkk qualifiers and
    use an AES created key.

2.7    /DELETE

       /DELETE
       /NODELETE

    Controls whether or not the input files are deleted after the
    encryption operation is complete and the output file is written
    and closed. By default, the input file is not deleted.

2.8    /ERASE

       /ERASE
       /NOERASE

    Controls whether or not the input files are erased with the data
    security pattern before being deleted. By default, the location
    in which the data was stored is not overwritten with the data
    security pattern. The /ERASE qualifier must be used with /DELETE.

2.9    /EXCLUDE

       /EXCLUDE=file-spec
       /NOEXCLUDE

    Excludes the specified files from the encryption operation. You
    can use wildcard characters. You do not need to enter an entire
    file specification. Any field that you omit defaults to the input
    file specification.

    Because directory files are never encrypted, you need not specify
    them.

2.10    /EXPIRED

       /EXPIRED[=time]

    Selects files according to the dates on which they expire.

    This qualifier is relevant only when used with the /BEFORE or the
    /SINCE qualifier. In addition, do not use /EXPIRED with /BACKUP
    or /MODIFIED.

    If you omit time, TODAY is used. For more information on time
    specifications, see the OpenVMS User's Manual.

2.11    /KEY_ALGORITHM

                       { DESCBC (default) }
       /KEY_ALGORITHM= { AESmmmkkk        }
                       {                  }

    Where mmm is the mode CBC, ECB, CFB, or OFB; and kkk is 128,
    192, or 256 bits. Note that /KEY_ALGORITHM=AES is a shortcut for
    specifying AESCBC128.

    The command uses this key algorithm with the key you supply
    to encrypt the randomly generated data encryption key and the
    initialization vector stored within the file.

    When specifying an AES algorithm, specify both /KEY and /DATA
    qualifiers and use an AES created key.

2.12    /MODIFIED

       /MODIFIED[=time]

    Selects files according to the dates on which they were last
    modified.

    This qualifier is relevant only when used with the /BEFORE or the
    /SINCE qualifier. In addition, do not use /MODIFIED with /BACKUP
    or /EXPIRED.

    If you omit time, TODAY is used. For more information on time
    specifications, see the OpenVMS User's Manual.

2.13    /OUTPUT

       /OUTPUT=file-spec

    Alternate output file name for the encryption operation. By
    default, each input file encrypted is written to a separate
    output file that is one version higher than the highest version
    of the input file. When using the /OUTPUT qualifier, specify the
    parts of the file specification different from the defaults. You
    do not need to provide an entire file specification. Any field
    that you omit defaults to the input file specification.

2.14    /SHOW

       /SHOW=keyword-list

    Controls whether or not the following information about the
    encryption operation is displayed on SYS$COMMAND:

    Keyword        Meaning

    FILES          Displays input and output file names on
                   SYS$COMMAND
    STATISTICS     Displays the encryption stream statistics:

                   o  Bytes processed

                   o  Internal records processed

                   o  CPU time consumed within the encryption
                      algorithm

2.15    /SINCE

       /SINCE[=time]

    Selects files that have a creation date before the time you
    specify.

    If you omit time, TODAY is used. For more information on time
    specifications, see the OpenVMS User's Manual.

2.16    /STATISTICS

    Similar to /SHOW, except that /STATISTICS lists both files and
    statistics, whereas /SHOW can be customized to list only one or
    the other.

2.17    /VERSION

    Displays the version number of the Encryption for OpenVMS
    software running on your system.

3  –  Examples

    1.$ ENCRYPT TROY MYKEY

      Encrypts the file TROY using the key MYKEY.

    2.$ ENCRYPT NEWFILE.TXT MONET/KEY_ALGORITHM=AESCBC128/DATA_ALGORITHM=AESCBC128

      Encrypts the file NEWFILE.TXT with the AES key, MONET, using
      the algorithm AESCBC128. A new version, NEWFILE.TXT;n+1,
      of the original file (now encrypted) is created. Use the
      /OUTPUT=filename qualifier to preserve the original file name,
      renaming the encrypted output file.

4    /AUTHENTICATE

    Associates a DES(default) or AES algorithm Message Authenticate
    Code (MAC) value with one or more files and checks for any
    modification of either plain text or cipher text files. Use the
    additional /UPDATE qualifier to store each file's MAC in the
    databases. Use only the /AUTHENTICATE qualifier to subsequently
    test the integrity of the file's data and security attributes.
    You must create a DES or AES key prior to updating or checking an
    existing MAC. When using the AES algorithm, you must specify the
    /AES qualifier. You can use AES algorithm only with respective AES
    key and the DES algorithm only with DES key. For more information
    about creating DES or AES key and the minimum key length required
    for different algorithms, see ENCRYPT /CREATE_KEY help.

    Format for the ENCRYPT /AUTHENTICATE Command

      ENCRYPT /AUTHENTICATE  file-spec key-name [qualifiers]

4.1  –  Parameters

 file-spec

    File names of the files to authenticate. Behavior can be modified
    with the /MULTIPLE_FILES qualifier.

 key-name

    Key name previously stored in the key storage table with the
    ENCRYPT /CREATE_KEY command.

4.2  –  Qualifiers

4.2.1    /AES

       /AES=keyword

    Specifies that you must use AES algorithm. If this qualifier is
    not specified, the DES algorithm is used by default. You can use
    the following keywords with the /AES qualifier:

    Keyword           Description
    AES128(default)   Indicates that 128 bits AES key value is used.
                      The MAC value generated in this mode is of
                      size 128 bits.
    AES192            Indicates that 192 bits AES key value is used.
                      The MAC value generated in this mode is of
                      size 192 bits.
    AES256            Indicates that 256 bits AES key value is used.
                      The MAC value generated in this mode is of
                      size 256 bits.

4.2.2    /BACKUP

       /BACKUP[=time]

    Selects files according to the dates of their most recent backup.

    This qualifier is relevant only when used with the /BEFORE or the
    /SINCE qualifier. In addition, do not use /BACKUP with /EXPIRED
    or /MODIFIED.

    If you omit time, TODAY is used. For more information on time
    specifications, see the OpenVMS User's Manual.

4.2.3    /BEFORE

       /BEFORE=time

    Selects files that have a creation time before the time you
    specify.

    If you omit time, TODAY is used. For more information on time
    specifications, see the OpenVMS User's Manual.

4.2.4    /BY_OWNER

       /BY_OWNER[=uic]
       /NOBY_OWNER

    Selects files with the owner UIC you specify.

    If you omit uic, the UIC of the current process is used. For
    more information on specifying UIC format, see the OpenVMS User's
    Manual.

4.2.5    /CONFIRM

       /CONFIRM
       /NOCONFIRM

    Controls whether or not a confirmation request is displayed
    before each authentication, as follows:

    Response         Meaning

    YES              Authenticates the file
    NO or <Return>   Does not authenticate the file (default)
    QUIT or          Does not authenticate the file or any subsequent
    <Ctrl/Z>         files
    ALL              Encrypts the file plus all subsequent files

4.2.6    /DATABASE

       /DATABASE=file-spec
       /NODATABASE

    File name of the file in which to store binary MAC values.

    Generates a MAC using the file contents. If you do not specify a
    file name, the file name SYS$LOGIN:ENCRYPT$MAC.DAT is used.

4.2.7    /EXCLUDE

       /EXCLUDE=file-spec
       /NOEXCLUDE

    Excludes the specified files from the authentication operation.
    You can use wildcard characters. You do not need to enter an
    entire file specification. Any field that you omit defaults to
    the input file specification.

    Because directory files are never encrypted, you need not specify
    them.

4.2.8    /EXPIRED

       /EXPIRED[=time]

    Selects files according to the dates on which they expire.

    This qualifier is relevant only when used with the /BEFORE or the
    /SINCE qualifier. In addition, do not use /EXPIRED with /BACKUP
    or /MODIFIED.

    If you omit a time value, TODAY is used. For more information on
    time specifications, see the OpenVMS User's Manual.

4.2.9    /LOG

    Displays the results of the authentication operation.

4.2.10    /MODIFIED

       /MODIFIED[=time]

    Selects files according to the dates on which they were last
    modified.

    This qualifier is relevant only when used with the /BEFORE or the
    /SINCE qualifier. In addition, do not use /MODIFIED with /BACKUP
    or /EXPIRED.

    If you omit a time value, TODAY is used. For more information on
    time specifications, see the OpenVMS User's Manual.

4.2.11    /MULTIPLE_FILES

    Indicates that the file-spec parameter contains a list of file
    names to be checked. The file-spec file is opened and each record
    is read and treated as a file-spec.

4.2.12    /OUTPUT

       /OUTPUT=file-spec
       /NOOUTPUT

    File name of the file in which to store readable MAC values.
    These MAC values represent both the file contents as well as the
    security settings. If you do not specify a file name, the default
    file name SYS$LOGIN:ENCRYPT$MAC.LIS is used.

4.2.13    /SECURITY

       /SECURITY=file-spec
       /NOSECURITY

    File name of the file in which to store binary MAC values. If you
    do not specify a file name, the default file name ENCRYPT$SEC.DAT
    is used.

    Generates a MAC using the file's security settings: owner,
    protection settings, and optional ACL.

4.2.14    /SINCE

       /SINCE[=time]

    Selects files that have a creation time before the time you
    specify.

    If you omit time, TODAY is used. For more information on time
    specifications, see the OpenVMS User's Manual.

4.2.15    /UPDATE

       /UPDATE
       /NOUPDATE

    Associates new MAC values with one or more files.

4.3  –  Example

  $ ENCRYPT /AUTHENTICATE NEWFILE HAMLET/CONFIRM

      Associates a MAC with the file NEWFILE using the key HAMLET.
      This command also displays a confirmation request before each
      authentication.

  $ ENCRYPT/AUTHENTICATE/UPDATE *.* MYKEY
  %ENCRYPT-NEWDB, new authentication code database has been created
  %ENCRYPT-NEWSECDB, new authentication security settings database has been created
  %ENCRYPT-I-SUMMARY1, Summary:  Files successfully authenticated: 0
  %ENCRYPT-I-SUMMARY2,     Files failing authentication: 0
  %ENCRYPT-I-SUMMARY3,     Files not in database: 73
  %ENCRYPT-I-SECSUMM1, Summary:  Security settings authenticated: 0
  %ENCRYPT-I-SECSUMM2,     Security settings failing authentication: 0
  %ENCRYPT-I-SECSUMM3,     Security settings not in database: 73

      This example creates a MAC for each file in the current
      directory using the key named MYKEY, storing them in the two
      databases: SYS$LOGIN:ENCRYPT$MAC.DAT and ENCRYPT$SEC_MAC.DAT.

  $ ENCRYPT /AUTHENTICATE *.* MYKEY
  %ENCRYPT-I-NOUPDATE, database will not be updated with new authentication codes
  %ENCRYPT-I-SUMMARY1, Summary:   Files successfully authenticated: 73
  %ENCRYPT-I-SUMMARY2,     Files failing authentication: 0
  %ENCRYPT-I-SUMMARY3,     Files not in database: 0
  %ENCRYPT-I-SECSUMM1, Summary:   Security settings authenticated: 73
  %ENCRYPT-I-SECSUMM2,     Security settings failing authentication: 0
  %ENCRYPT-I-SECSUMM3,     Security settings not in database: 0

      This example authenticates the same files as in Example 3
      by creating a new MAC and comparing that with those in each
      database, testing file data integrity and security attributes
      as indicated in the summary.

  $ ENCRYPT/CREATE_KEY/AES MY_AES_KEY32 -
  _$ "Sample Key length greater than > 32"
  $ ENCRYPT/AUTHENTICATE FILE.TXT MY_AES_KEY32 /AES=AES256 /UPDATE
  %ENCRYPT-I-NEWDB, new authentication code database has been created
  %ENCRYPT-I-NEWSECDB, new authentication security settings database has been created
  %ENCRYPT-I-SUMMARY1, Summary:   Files successfully authenticated: 0
  %ENCRYPT-I-SUMMARY2,            Files failing authentication: 0
  %ENCRYPT-I-SUMMARY3,            Files not in database: 1
  %ENCRYPT-I-SECSUMM1, Summary:   Security settings authenticated: 0
  %ENCRYPT-I-SECSUMM2,            Security settings failing authentication: 0
  %ENCRYPT-I-SECSUMM3,            Security settings not in database: 1

      This example creates new 256 bits AES key. This new key is used with
      the /AES qualifier to create new MAC database and update it with
      a 256 bits MAC value of FILE.TXT file.

5    /CREATE_KEY

    Creates a key definition name and value to be used for encrypting
    and decrypting files. The key is a string that represents the
    name under which its value is encrypted and stored in the key
    storage table; a logical name table. A DES key is created in the
    PROCESS logical name table by default unless the /AES qualifier
    is specified. Note that AES requires longer key-length values
    than the 8-byte DES keys. AES requires a minimum of 16, 24,
    or 32 bytes depending on the algorithm/key size specified for
    encryption or decryption.

    Format for the ENCRYPT /CREATE_KEY Command

      ENCRYPT /CREATE_KEY  key-name key-value [qualifiers]

5.1  –  Parameters

 key-name

    Name under which the encryption key will be stored in the key
    storage table. Specify a character string according to the
    following conventions:

    o  1 to 243 alphanumeric characters

    o  Dollar signs and underscores are valid.

    o  Not case sensitive

    Use a name that has meaning to you, to help you remember it.

                                   NOTE

       Key names beginning with ENCRYPT$ are reserved for VSI.

 key-value

    String representing the value of the encryption key. Specify
    either ASCII text or a hexadecimal constant, as follows:

    o  ASCII text string (default)

       -  Minimum length: 8 (DES) 16, 24, or 32 (AES-128, 192, and
          256 bits respectively).

       -  Maximum length: approximately 240 characters.

       -  The string is not case sensitive for DES keys.

       -  If you use characters other than alphanumeric characters,
          for example, blank spaces, enclose the string in quotation
          marks ( " " ).

    o  Hexadecimal constant

       -  Use the /HEXADECIMAL qualifier.

       -  Valid characters: 0 to 9, A to F (ASCII coded HEX nibbles).

       -  Minimum length: 16 characters-DES-32, 48, or 64 (AES-128,
          192, and 256 bits respectively).

       -  Do not enclose the value in quotation marks.

5.2  –  Qualifiers

5.2.1    /AES

    Designates that an AES key is to be created, which is encrypted
    with the AESCBC128 encryption routine.

5.2.2    /GROUP

    Enters the key definition in the group key storage table.

5.2.3    /HEXADECIMAL

       /HEXADECIMAL
       /NOHEXADECIMAL

    Specifies that the value for the key is a hexadecimal number.
    Default: key values are interpreted as ASCII text characters (see
    the description of the key-value parameter).

5.2.4    /JOB

    Enters the key definition in the job key storage table.

5.2.5    /LOG

    Verifies successful creation of the key.

5.2.6    /PROCESS

    Enters the key definition in the process key storage table.

5.2.7    /SYSTEM

    Enters the key definition in the system key storage table.

5.3  –  Examples

    1.$ ENCRYPT /CREATE_KEY HAMLET
      _ Key value: "And you yourself shall keep the key of it"

      This example defines a DES key named HAMLET with the character
      string value "And you yourself shall keep the key of it".

    2.$ ENCRYPT /CREATE_KEY /HEXADECIMAL ARCANE 2F4A98F46BBC11DC

      This example defines a DES key named ARCANE with hexadecimal
      value of 2F4A98F46BBC11DC.)

    3.$ ENCRYPT /CREATE_KEY MYKEY "The 16 char. key" /LOG/AES

      This example defines an AES key named MYKEY with the minimum
      16-character string value "The 16 char. key" that is required
      for AESxxx128, logging its successful creation. The key is
      encrypted with AES prior to storage in the PROCESS (default)
      logical name table.

    4.$ SHOW LOGICAL ENC* /TABLE=ENCRYPT$KEY_STORE

      LNM$PROCESS_TABLE

        "ENCRYPT$KEY$MYKEY" =  "ê¢É.à­0S%M.....ÕSBò¼¶í.}â0ÓL.ñ.Z"

      LNM$JOB_8210B400

      LNM$GROUP_000001

      ENCRYPT$SYSTEM

      This example shows that key names are prepended with
      ENCRYPT$KEY$, as in the named key ENCRYPT$KEY$MYKEY.

6    /REMOVE_KEY

    Deletes a key definition from a key storage table. The PROCESS
    logical name table is the default unless otherwise specified.

    Format for the ENCRYPT /REMOVE_KEY Command

      ENCRYPT /REMOVE_KEY  key-name [qualifiers]

6.1  –  Parameters

 key-name

    Key name previously stored in the key storage table with the
    ENCRYPT /CREATE_KEY command.

6.2  –  Qualifiers

6.2.1    /AES

    Designates that an AES key is to be deleted. Specifying a unique
    key name and table is sufficient for deletion, making the /AES
    qualifier unnecessary but included for clarification.

6.2.2    /GROUP

    Deletes the key definition from the group key storage table.

6.2.3    /JOB

    Deletes the key definition from the job key storage table.

6.2.4    /PROCESS

    Deletes the key definition from the process key storage table.

6.2.5    /SYSTEM

    Deletes the key definition from the system key storage table.

6.3  –  Example

  $ ENCRYPT /REMOVE_KEY MYKey /AES

      This command removes or deletes the AES key, MYKEY.
Close Help