1 DECRYPT
Decrypts files previously encrypted with the ENCRYPT command.
DES is the default algorithm unless otherwise specified with
the /KEY_ALGORITHM qualifier. The key specified must match the
algorithm (DES or AES), and the same key is used to decrypt as
was used to encrypt; a symmetric key algorithm.
Format
DECRYPT input-file key-name [qualifiers]
2 Parameters
input-file
File names of the files to decrypt. If you use wildcard
characters, do not include directory files or files with bad
blocks.
key-name
Key name that was previously stored in the key storage table by
the ENCRYPT /CREATE_KEY command.
2 Qualifiers
/BACKUP
/BACKUP[=time]
Selects files according to the dates of their most recent backup.
This qualifier is relevant only when used with the /BEFORE or the
/SINCE qualifier. In addition, do not use /BACKUP with /EXPIRED
or /MODIFIED.
If you omit time, TODAY is used. For more information on time
specifications, see the OpenVMS User's Manual.
/BEFORE
/BEFORE[=time]
Selects files that have a creation time before the time you
specify.
If you omit time, TODAY is used. For more information on time
specifications, see the OpenVMS User's Manual.
/BY_OWNER
/BY_OWNER[=uic]
/NOBY_OWNER
Selects files with the owner UIC you specify.
If you omit uic, the UIC of the current process is used. For
more information on specifying UIC format, see the OpenVMS User's
Manual.
/CONFIRM
/CONFIRM
/NOCONFIRM
Controls whether or not a confirmation request is displayed
before each decryption, as follows:
Response Meaning
YES Decrypts the file
NO or <Return> Does not decrypt the file (default)
QUIT or Does not decrypt the file or any subsequent
<Ctrl/Z> files
ALL Decrypts the file plus all subsequent files
/DELETE
/DELETE
/NODELETE
Default: /NODELETE.
Controls whether or not the input files are deleted after the
decryption operation is complete and the output file is written
and closed.
/ERASE
/ERASE
/NOERASE
Controls whether or not the input files are erased with the data
security pattern before being deleted. By default, the location
in which the data was stored is not overwritten with the data
security pattern. The /ERASE qualifier must be used with /DELETE.
/EXCLUDE
/EXCLUDE=file-spec
/NOEXCLUDE
Excludes the specified files from the decryption operation. You
can use wildcard characters. You do not need to enter an entire
file specification. Any field that you omit defaults to the input
file specification.
Because directory files are never encrypted, you need not specify
them.
/EXPIRED
/EXPIRED[=time]
Selects files according to the dates on which they expire.
This qualifier is relevant only when used with the /BEFORE or the
/SINCE qualifier. In addition, do not use /EXPIRED with /BACKUP
or /MODIFIED.
If you omit time, TODAY is used. For more information on time
specifications, see the OpenVMS User's Manual.
/KEY_ALGORITHM
{ DESCBC (default) }
/KEY_ALGORITHM= { AESmmmkkk }
{ }
Where mmm is the mode CBC, ECB, CFB, or OFB; and kkk is 128,
192, or 256 bits. Cipher Block Chaining (CBC) and Electronic Code
Book (ECB) are 16-byte block modes, meaning blocks are padded to
16 bytes if necessary during encryption. The padding is removed
during decryption. Cipher Feedback (CFB) and Output Feedback
(OFB) are 8-bit character stream mode emulation, useful in data
communications and where no padding is required. Note that /KEY_
ALGORITHM=AES is a shortcut for specifying AESCBC128.
The algorithm by which the random key and the initialization
vector are protected within the encrypted file. Specify the same
algorithm (AES or DES) that you used to encrypt the file and
create the key, if not, the default is DESCBC.
/MODIFIED
/MODIFIED[=time]
Selects files according to the dates on which they were last
modified.
This qualifier is relevant only when used with the /BEFORE or the
/SINCE qualifier. In addition, do not use /MODIFIED with /BACKUP
or /EXPIRED.
If you omit time, TODAY is used. For more information on time
specifications, see the OpenVMS User's Manual.
/OUTPUT
/OUTPUT=file-spec
Alternate output file name for the decryption operation.
By default, each input file decrypted is written to a separate
output file that is one version higher than that of the input
file. When using the /OUTPUT qualifier, specify the parts of the
file specification different from the defaults. You do not need
to provide an entire file specification. Any field that you omit
defaults to the input file specification.
/SHOW
/SHOW=(keyword-list)
Controls whether or not the following information about the
decryption operation is displayed on SYS$COMMAND:
Keyword Meaning
FILES Displays input and output file names on
SYS$COMMAND
STATISTICS Displays the encryption stream statistics:
o Bytes processed
o Internal records processed
o CPU time consumed within the encryption
algorithm
/SINCE
/SINCE[=time]
Selects files that have a creation date before the time you
specify.
If you omit time, TODAY is used. For more information on time
specifications, see the OpenVMS User's Manual.
/STATISTICS
Similar to /SHOW, except that /STATISTICS lists both files and
statistics, whereas /SHOW can be customized to list only one or
the other.
2 Examples
1.$ DECRYPT BOSTON MYKEY
Decrypts the file name BOSTON using the DES key, MYKEY, and the
DESCBC algorithm.
2.$ DECRYPT CHIGAGO.ENC KEY2 /KEY=AESECB256 /OUT=CHICAGO.DEC
Decrypts the file named CHICAGO.ENC using the AES key, KEY2,
and the AESECB256 algorithm, renaming the decrypted output file
to CHICAGO.DEC, the original plaintext file.