1 DECRYPT Decrypts files previously encrypted with the ENCRYPT command. DES is the default algorithm unless otherwise specified with the /KEY_ALGORITHM qualifier. The key specified must match the algorithm (DES or AES), and the same key is used to decrypt as was used to encrypt; a symmetric key algorithm. Format DECRYPT input-file key-name [qualifiers] 2 Parameters input-file File names of the files to decrypt. If you use wildcard characters, do not include directory files or files with bad blocks. key-name Key name that was previously stored in the key storage table by the ENCRYPT /CREATE_KEY command. 2 Qualifiers /BACKUP /BACKUP[=time] Selects files according to the dates of their most recent backup. This qualifier is relevant only when used with the /BEFORE or the /SINCE qualifier. In addition, do not use /BACKUP with /EXPIRED or /MODIFIED. If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual. /BEFORE /BEFORE[=time] Selects files that have a creation time before the time you specify. If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual. /BY_OWNER /BY_OWNER[=uic] /NOBY_OWNER Selects files with the owner UIC you specify. If you omit uic, the UIC of the current process is used. For more information on specifying UIC format, see the OpenVMS User's Manual. /CONFIRM /CONFIRM /NOCONFIRM Controls whether or not a confirmation request is displayed before each decryption, as follows: Response Meaning YES Decrypts the file NO or Does not decrypt the file (default) QUIT or Does not decrypt the file or any subsequent files ALL Decrypts the file plus all subsequent files /DELETE /DELETE /NODELETE Default: /NODELETE. Controls whether or not the input files are deleted after the decryption operation is complete and the output file is written and closed. /ERASE /ERASE /NOERASE Controls whether or not the input files are erased with the data security pattern before being deleted. By default, the location in which the data was stored is not overwritten with the data security pattern. The /ERASE qualifier must be used with /DELETE. /EXCLUDE /EXCLUDE=file-spec /NOEXCLUDE Excludes the specified files from the decryption operation. You can use wildcard characters. You do not need to enter an entire file specification. Any field that you omit defaults to the input file specification. Because directory files are never encrypted, you need not specify them. /EXPIRED /EXPIRED[=time] Selects files according to the dates on which they expire. This qualifier is relevant only when used with the /BEFORE or the /SINCE qualifier. In addition, do not use /EXPIRED with /BACKUP or /MODIFIED. If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual. /KEY_ALGORITHM { DESCBC (default) } /KEY_ALGORITHM= { AESmmmkkk } { } Where mmm is the mode CBC, ECB, CFB, or OFB; and kkk is 128, 192, or 256 bits. Cipher Block Chaining (CBC) and Electronic Code Book (ECB) are 16-byte block modes, meaning blocks are padded to 16 bytes if necessary during encryption. The padding is removed during decryption. Cipher Feedback (CFB) and Output Feedback (OFB) are 8-bit character stream mode emulation, useful in data communications and where no padding is required. Note that /KEY_ ALGORITHM=AES is a shortcut for specifying AESCBC128. The algorithm by which the random key and the initialization vector are protected within the encrypted file. Specify the same algorithm (AES or DES) that you used to encrypt the file and create the key, if not, the default is DESCBC. /MODIFIED /MODIFIED[=time] Selects files according to the dates on which they were last modified. This qualifier is relevant only when used with the /BEFORE or the /SINCE qualifier. In addition, do not use /MODIFIED with /BACKUP or /EXPIRED. If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual. /OUTPUT /OUTPUT=file-spec Alternate output file name for the decryption operation. By default, each input file decrypted is written to a separate output file that is one version higher than that of the input file. When using the /OUTPUT qualifier, specify the parts of the file specification different from the defaults. You do not need to provide an entire file specification. Any field that you omit defaults to the input file specification. /SHOW /SHOW=(keyword-list) Controls whether or not the following information about the decryption operation is displayed on SYS$COMMAND: Keyword Meaning FILES Displays input and output file names on SYS$COMMAND STATISTICS Displays the encryption stream statistics: o Bytes processed o Internal records processed o CPU time consumed within the encryption algorithm /SINCE /SINCE[=time] Selects files that have a creation date before the time you specify. If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual. /STATISTICS Similar to /SHOW, except that /STATISTICS lists both files and statistics, whereas /SHOW can be customized to list only one or the other. 2 Examples 1.$ DECRYPT BOSTON MYKEY Decrypts the file name BOSTON using the DES key, MYKEY, and the DESCBC algorithm. 2.$ DECRYPT CHIGAGO.ENC KEY2 /KEY=AESECB256 /OUT=CHICAGO.DEC Decrypts the file named CHICAGO.ENC using the AES key, KEY2, and the AESECB256 algorithm, renaming the decrypted output file to CHICAGO.DEC, the original plaintext file.