1 ENCRYPT There are four ENCRYPT commands: ENCRYPT Encrypts files. Before you enter this command, create a key with the ENCRYPT /CREATE_KEY command. ENCRYPT /AUTHENTICATE Checks for changes to either plain text or cipher text files (see /AUTHENTICATE). ENCRYPT /CREATE_KEY Defines a key to be used during encryption (see /CREATE_KEY). ENCRYPT /REMOVE_KEY Deletes a key definition from a key storage table (see /REMOVE_KEY). Format for the ENCRYPT Command ENCRYPT input-file key-name [qualifiers] 2 Parameters input-file File names of the files to encrypt. If you use wildcard characters, do not include directory files or files with bad blocks. key-name Key name previously stored in the key storage table with the ENCRYPT /CREATE_KEY command. 2 Qualifiers /BACKUP /BACKUP[=time] Selects files according to the dates of their most recent backup. This qualifier is relevant only when used with the /BEFORE or the /SINCE qualifier. In addition, do not use /BACKUP with /EXPIRED or /MODIFIED. If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual. /BEFORE /BEFORE[=time] Selects files that have a creation time before the time you specify. If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual. /BY_OWNER /BY_OWNER[=uic] /NOBY_OWNER Selects files with the owner UIC you specify. If you omit uic, the UIC of the current process is used. For more information on specifying UIC format, see the OpenVMS User's Manual. /COMPRESS /COMPRESS /NOCOMPRESS Optional. Default: /NOCOMPRESS. Controls whether or not data compression occurs before a file is encrypted. /CONFIRM /CONFIRM /NOCONFIRM Controls whether or not a confirmation request is displayed before each encryption, as follows: Response Meaning YES Encrypts the file NO or Does not encrypt the file (default) QUIT or Does not encrypt the file or any subsequent files ALL Encrypts the file plus all subsequent files /DATA_ALGORITHM { DESCBC (default) } /DATA_ALGORITHM= { AESmmmkkk } { } Where mmm is the mode CBC, ECB, CFB, or OFB; and kkk is 128, 192, or 256 bits. Cipher Block Chaining (CBC) and Electronic Code Book (ECB) are 16-byte block modes, meaning blocks are padded to 16 bytes if necessary during encryption. The padding is removed during decryption. Cipher Feedback (CFB) and Output Feedback (OFB) are 8-bit character stream mode emulation, useful in data communications and where no padding is required. Note that /DATA_ALGORITM=AES is a shortcut for specifying AESCBC128. The data algorithm is used with the randomly generated key to perform encryption of the file's data. When specifying an AES algorithm, specify both /KEY and /DATA=AESmmmkkk qualifiers and use an AES created key. /DELETE /DELETE /NODELETE Controls whether or not the input files are deleted after the encryption operation is complete and the output file is written and closed. By default, the input file is not deleted. /ERASE /ERASE /NOERASE Controls whether or not the input files are erased with the data security pattern before being deleted. By default, the location in which the data was stored is not overwritten with the data security pattern. The /ERASE qualifier must be used with /DELETE. /EXCLUDE /EXCLUDE=file-spec /NOEXCLUDE Excludes the specified files from the encryption operation. You can use wildcard characters. You do not need to enter an entire file specification. Any field that you omit defaults to the input file specification. Because directory files are never encrypted, you need not specify them. /EXPIRED /EXPIRED[=time] Selects files according to the dates on which they expire. This qualifier is relevant only when used with the /BEFORE or the /SINCE qualifier. In addition, do not use /EXPIRED with /BACKUP or /MODIFIED. If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual. /KEY_ALGORITHM { DESCBC (default) } /KEY_ALGORITHM= { AESmmmkkk } { } Where mmm is the mode CBC, ECB, CFB, or OFB; and kkk is 128, 192, or 256 bits. Note that /KEY_ALGORITHM=AES is a shortcut for specifying AESCBC128. The command uses this key algorithm with the key you supply to encrypt the randomly generated data encryption key and the initialization vector stored within the file. When specifying an AES algorithm, specify both /KEY and /DATA qualifiers and use an AES created key. /MODIFIED /MODIFIED[=time] Selects files according to the dates on which they were last modified. This qualifier is relevant only when used with the /BEFORE or the /SINCE qualifier. In addition, do not use /MODIFIED with /BACKUP or /EXPIRED. If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual. /OUTPUT /OUTPUT=file-spec Alternate output file name for the encryption operation. By default, each input file encrypted is written to a separate output file that is one version higher than the highest version of the input file. When using the /OUTPUT qualifier, specify the parts of the file specification different from the defaults. You do not need to provide an entire file specification. Any field that you omit defaults to the input file specification. /SHOW /SHOW=keyword-list Controls whether or not the following information about the encryption operation is displayed on SYS$COMMAND: Keyword Meaning FILES Displays input and output file names on SYS$COMMAND STATISTICS Displays the encryption stream statistics: o Bytes processed o Internal records processed o CPU time consumed within the encryption algorithm /SINCE /SINCE[=time] Selects files that have a creation date before the time you specify. If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual. /STATISTICS Similar to /SHOW, except that /STATISTICS lists both files and statistics, whereas /SHOW can be customized to list only one or the other. /VERSION Displays the version number of the Encryption for OpenVMS software running on your system. 2 Examples 1.$ ENCRYPT TROY MYKEY Encrypts the file TROY using the key MYKEY. 2.$ ENCRYPT NEWFILE.TXT MONET/KEY_ALGORITHM=AESCBC128/DATA_ALGORITHM=AESCBC128 Encrypts the file NEWFILE.TXT with the AES key, MONET, using the algorithm AESCBC128. A new version, NEWFILE.TXT;n+1, of the original file (now encrypted) is created. Use the /OUTPUT=filename qualifier to preserve the original file name, renaming the encrypted output file. 2 /AUTHENTICATE Associates a DES algorithm Message Authenticate Code (MAC) value with one or more files and checks for any modification of either plain text or cipher text files. Use the additional /UPDATE qualifier to store each file's MAC in the databases. Use only the /AUTHENTICATE qualifier to subsequently test the integrity of the file's data and security attributes. You must create a DES key prior to updating or checking an existing MAC. The AES algorithm is not supported for file MAC operations. Format for the ENCRYPT /AUTHENTICATE Command ENCRYPT /AUTHENTICATE file-spec key-name [qualifiers] 3 Parameters file-spec File names of the files to authenticate. Behavior can be modified with the /MULTIPLE_FILES qualifier. key-name Key name previously stored in the key storage table with the ENCRYPT /CREATE_KEY command. 3 Qualifiers /BACKUP /BACKUP[=time] Selects files according to the dates of their most recent backup. This qualifier is relevant only when used with the /BEFORE or the /SINCE qualifier. In addition, do not use /BACKUP with /EXPIRED or /MODIFIED. If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual. /BEFORE /BEFORE=time Selects files that have a creation time before the time you specify. If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual. /BY_OWNER /BY_OWNER[=uic] /NOBY_OWNER Selects files with the owner UIC you specify. If you omit uic, the UIC of the current process is used. For more information on specifying UIC format, see the OpenVMS User's Manual. /CONFIRM /CONFIRM /NOCONFIRM Controls whether or not a confirmation request is displayed before each authentication, as follows: Response Meaning YES Authenticates the file NO or Does not authenticate the file (default) QUIT or Does not authenticate the file or any subsequent files ALL Encrypts the file plus all subsequent files /DATABASE /DATABASE=file-spec /NODATABASE File name of the file in which to store binary MAC values. Generates a MAC using the file contents. If you do not specify a file name, the file name SYS$LOGIN:ENCRYPT$MAC.DAT is used. /EXCLUDE /EXCLUDE=file-spec /NOEXCLUDE Excludes the specified files from the authentication operation. You can use wildcard characters. You do not need to enter an entire file specification. Any field that you omit defaults to the input file specification. Because directory files are never encrypted, you need not specify them. /EXPIRED /EXPIRED[=time] Selects files according to the dates on which they expire. This qualifier is relevant only when used with the /BEFORE or the /SINCE qualifier. In addition, do not use /EXPIRED with /BACKUP or /MODIFIED. If you omit a time value, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual. /LOG Displays the results of the authentication operation. /MODIFIED /MODIFIED[=time] Selects files according to the dates on which they were last modified. This qualifier is relevant only when used with the /BEFORE or the /SINCE qualifier. In addition, do not use /MODIFIED with /BACKUP or /EXPIRED. If you omit a time value, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual. /MULTIPLE_FILES Indicates that the file-spec parameter contains a list of file names to be checked. The file-spec file is opened and each record is read and treated as a file-spec. /OUTPUT /OUTPUT=file-spec /NOOUTPUT File name of the file in which to store readable MAC values. These MAC values represent both the file contents as well as the security settings. If you do not specify a file name, the default file name SYS$LOGIN:ENCRYPT$MAC.LIS is used. /SECURITY /SECURITY=file-spec /NOSECURITY File name of the file in which to store binary MAC values. If you do not specify a file name, the default file name ENCRYPT$SEC.DAT is used. Generates a MAC using the file's security settings: owner, protection settings, and optional ACL. /SINCE /SINCE[=time] Selects files that have a creation time before the time you specify. If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual. /UPDATE /UPDATE /NOUPDATE Associates new MAC values with one or more files. 3 Example $ ENCRYPT /AUTHENTICATE NEWFILE HAMLET/CONFIRM Associates a MAC with the file NEWFILE using the key HAMLET. This command also displays a confirmation request before each authentication. $ ENCRYPT/AUTHENTICATE/UPDATE *.* MYKEY %ENCRYPT-NEWDB, new authentication code database has been created %ENCRYPT-NEWSECDB, new authentication security settings database has been created %ENCRYPT-I-SUMMARY1, Summary: Files successfully authenticated: 0 %ENCRYPT-I-SUMMARY2, Files failing authentication: 0 %ENCRYPT-I-SUMMARY3, Files not in database: 73 %ENCRYPT-I-SECSUMM1, Summary: Security settings authenticated: 0 %ENCRYPT-I-SECSUMM2, Security settings failing authentication: 0 %ENCRYPT-I-SECSUMM3, Security settings not in database: 73 This example creates a MAC for each file in the current directory using the key named MYKEY, storing them in the two databases: SYS$LOGIN:ENCRYPT$MAC.DAT and ENCRYPT$SEC_MAC.DAT. $ ENCRYPT /AUTHENTICATE *.* MYKEY %ENCRYPT-I-NOUPDATE, database will not be updated with new authentication codes %ENCRYPT-I-SUMMARY1, Summary: Files successfully authenticated: 73 %ENCRYPT-I-SUMMARY2, Files failing authentication: 0 %ENCRYPT-I-SUMMARY3, Files not in database: 0 %ENCRYPT-I-SECSUMM1, Summary: Security settings authenticated: 73 %ENCRYPT-I-SECSUMM2, Security settings failing authentication: 0 %ENCRYPT-I-SECSUMM3, Security settings not in database: 0 This example authenticates the same files as in Example 3 by creating a new MAC and comparing that with those in each database, testing file data integrity and security attributes as indicated in the summary. 2 /CREATE_KEY Creates a key definition name and value to be used for encrypting and decrypting files. The key is a string that represents the name under which its value is encrypted and stored in the key storage table; a logical name table. A DES key is created in the PROCESS logical name table by default unless the /AES qualifier is specified. Note that AES requires longer key-length values than the 8-byte DES keys. AES requires a minimum of 16, 24, or 32 bytes depending on the algorithm/key size specified for encryption or decryption. Format for the ENCRYPT /CREATE_KEY Command ENCRYPT /CREATE_KEY key-name key-value [qualifiers] 3 Parameters key-name Name under which the encryption key will be stored in the key storage table. Specify a character string according to the following conventions: o 1 to 243 alphanumeric characters o Dollar signs and underscores are valid. o Not case sensitive Use a name that has meaning to you, to help you remember it. NOTE Key names beginning with ENCRYPT$ are reserved for HP. key-value String representing the value of the encryption key. Specify either ASCII text or a hexadecimal constant, as follows: o ASCII text string (default) - Minimum length: 8 (DES) 16, 24, or 32 (AES-128, 192, and 256 bits respectively). - Maximum length: approximately 240 characters. - The string is not case sensitive for DES keys. - If you use characters other than alphanumeric characters, for example, blank spaces, enclose the string in quotation marks ( " " ). o Hexadecimal constant - Use the /HEXADECIMAL qualifier. - Valid characters: 0 to 9, A to F (ASCII coded HEX nibbles). - Minimum length: 16 characters-DES-32, 48, or 64 (AES-128, 192, and 256 bits respectively). - Do not enclose the value in quotation marks. 3 Qualifiers /AES Designates that an AES key is to be created, which is encrypted with the AESCBC128 encryption routine. /GROUP Enters the key definition in the group key storage table. /HEXADECIMAL /HEXADECIMAL /NOHEXADECIMAL Specifies that the value for the key is a hexadecimal number. Default: key values are interpreted as ASCII text characters (see the description of the key-value parameter). /JOB Enters the key definition in the job key storage table. /LOG Verifies successful creation of the key. /PROCESS Enters the key definition in the process key storage table. /SYSTEM Enters the key definition in the system key storage table. 3 Examples 1.$ ENCRYPT /CREATE_KEY HAMLET _ Key value: "And you yourself shall keep the key of it" This example defines a DES key named HAMLET with the character string value "And you yourself shall keep the key of it". 2.$ ENCRYPT /CREATE_KEY /HEXADECIMAL ARCANE 2F4A98F46BBC11DC This example defines a DES key named ARCANE with hexadecimal value of 2F4A98F46BBC11DC.) 3.$ ENCRYPT /CREATE_KEY MYKEY "The 16 char. key" /LOG/AES This example defines an AES key named MYKEY with the minimum 16-character string value "The 16 char. key" that is required for AESxxx128, logging its successful creation. The key is encrypted with AES prior to storage in the PROCESS (default) logical name table. 4.$ SHOW LOGICAL ENC* /TABLE=ENCRYPT$KEY_STORE LNM$PROCESS_TABLE "ENCRYPT$KEY$MYKEY" = "ê¢É.à­0S%M.....ÕSBò¼¶í.}â0ÓL.ñ.Z" = "AES" LNM$JOB_8210B400 LNM$GROUP_000001 ENCRYPT$SYSTEM This example shows that key names are prepended with ENCRYPT$KEY$, as in the named key ENCRYPT$KEY$MYKEY. 2 /REMOVE_KEY Deletes a key definition from a key storage table. The PROCESS logical name table is the default unless otherwise specified. Format for the ENCRYPT /REMOVE_KEY Command ENCRYPT /REMOVE_KEY key-name [qualifiers] 3 Parameters key-name Key name previously stored in the key storage table with the ENCRYPT /CREATE_KEY command. 3 Qualifiers /AES Designates that an AES key is to be deleted. Specifying a unique key name and table is sufficient for deletion, making the /AES qualifier unnecessary but included for clarification. /GROUP Deletes the key definition from the group key storage table. /JOB Deletes the key definition from the job key storage table. /PROCESS Deletes the key definition from the process key storage table. /SYSTEM Deletes the key definition from the system key storage table. 3 Example $ ENCRYPT /REMOVE_KEY MYKey /AES This command removes or deletes the AES key, MYKEY.