Encryption for OpenVMS Installation and Reference Manual


Previous Contents Index

2.4 After You Run the Installation Procedure

When the installation is finished, before you run the Encryption for OpenVMS software, follow these post-installation steps:

  1. Edit the system startup procedure, SYS$STARTUP:SYSTARTUP_VMS.COM.
  2. Log out and then log in again.

2.4.1 Rereading the Release Notes

After installation, you can access the Encryption for OpenVMS Release Notes, even if you dismounted the distribution medium, or if you deleted a copy of the Release Notes from the Encryption directory. Use the PRODUCT EXTRACT RELEASE_NOTES command to copy the document from the installed kit to a file.

The default file name is DEFAULT.PCSI$RELEASE_NOTES, in your current directory. To specify a different name for the file, use the /FILE qualifier. Follow these steps:

  1. Ensure that one of the following is true:
  2. Enter the PRODUCT EXTRACT RELEASE_NOTES command. For example:


     
    $ PRODUCT EXTRACT RELEASE_NOTES CPQ-VMS-ENCRYPT-V0106.RELEASE_NOTES - 
    _$ /FILE=[ENCRYPT0106]RELEASE_NOTES.TXT 
     
    

2.5 De-Installing

To de-install Encryption files, use the PRODUCT REMOVE command:


 
$ PRODUCT REMOVE ENCRYPT 
 
The following product has been selected: 
    CPQ AXPVMS ENCRYPT V1.6                Layered Product 
 
Do you want to continue? [YES] [Return] 
 
The following product will be removed from destination: 
    CPQ AXPVMS ENCRYPT V1.6                DISK$COE_X92N:[VMS$COMMON.] 
 
Portion done: 0%...20%...30%...40%...50%...60%...70%...80%...90%...100% 
 
The following product has been removed: 
    CPQ AXPVMS ENCRYPT V1.6                Layered Product 
 


Chapter 3
Using the Encryption for OpenVMS Features

Interactively using the features of the Encryption for OpenVMS product consists of the following tasks:

Use DCL commands to accomplish these tasks. For information about adding encryption and decryption processes to your software applications, see Chapter 4.

3.1 Defining Keys

To define a key, enter the ENCRYPT /CREATE_KEY command:

ENCRYPT /CREATE key-name key-value [ qualifiers ]

where
key-name is the name of the key.
key-value is the value you assign to the key.
qualifiers are options that control the format of the key value or where the key is stored.

3.1.1 Specifying the Key Name

To specify key-name on the ENCRYPT /CREATE_KEY command line, specify a character string using the following rules:

To help you remember the name, use one that has meaning to you.

Note

Key names beginning with ENCRYPT$ are reserved for Compaq.

3.1.2 Specifying the Key Value

To specify a key-value on the ENCRYPT /CREATE_KEY command line, use either a text string or a hexadecimal constant, using the following rules:

ASCII text string (default):

Example: This command defines a key named HAMLET with character string value And you yourself shall keep the key of it :


 
$ ENCRYPT /CREATE_KEY HAMLET 
 
_ Key value: "And you yourself shall keep the key of it" 
 

Hexadecimal constant

Example: The following command defines a key named ARCANE with hexadecimal value 2F4A98F46BBC11D:


 
$ ENCRYPT /CREATE_KEY /HEX ARCANE 2F4A98F46BBC11D 

In addition, when you specify key-value, do not use weak keys. These are key values with a pattern of repeated characters or groups of characters. Using a pattern results in an encrypted form that might be easy for unauthorized users to decrypt. For example, the hexadecimal constant 0101010101010101 and the text string 'abcabcabc' are weak keys.

Using weak keys might produce the following consequences:

Compaq supplies a table of known weak keys with the Encryption software. The software checks keys you define against this table and displays an error message when you supply a weak key.

3.1.3 Verifying Key Creation

To verify the successful creation of a key, use the /LOG qualifier. For example, this command reports that the key HAMLET is defined:


$ ENCRYPT /CREATE_KEY /LOG HAMLET 
 
_ Key value: "And you yourself shall keep the key of it" 
%ENCRYPT-S-KEYDEF, key defined for key name = HAMLET 
 

3.1.4 Specifying Key Storage Tables

When you define a key, it is stored in encrypted form in a key storage table. The key value is stored under the key name. When you encrypt files, the process takes this stored information and does the following:

Key storage tables determine which users can access keys. The following key storage tables control user access:

To enter keys into the key storage tables, use the following ENCRYPT /CREATE_KEY qualifiers:

3.1.5 Key Maintenance

When you encrypt a file, the key you use is like a password to that file. It is important to keep it secret. In addition, ensure that you remember the key value. You need both the key and the value to decrypt the file.

A key stored in the process key storage table lasts for the life span of the process that defined the keys in the table. Like other process-specific structures, the process key storage table disappears when you log out.

Key values that are meaningful to you are the most memorable, but avoid easily guessed choices such as your nickname or the make of your car. Never post a key name or value in your office or store it online. Like operating system passwords, increasing the length of a key value lessens the possibility of discovery.

The DES algorithm requires that a key value have a minimum length of eight non-null characters. To improve the security of the key value, specify more than eight.

3.2 Encrypting Files

After you define a key with the ENCRYPT /CREATE_KEY command, use this key to encrypt files. Enter the ENCRYPT command. In addition to the key, specify a plaintext file. The syntax of the ENCRYPT command is as follows:

ENCRYPT file-spec key-name [ qualifiers ]

where
file-spec is the plaintext input file specification.
key-name is the name of the key.
qualifiers are options that control the encryption process or the selection of files you want to encrypt

3.2.1 Input File Specification

For the plaintext file specified on the ENCRYPT command line, use a file that resides on disk and that is not a directory file.

To specify multiple input files, use wildcard characters in the file specification. To control file selection, specify the appropriate ENCRYPT command qualifiers (see Section 3.2.4). Do not use wildcard characters to specify directory files or files containing bad blocks.

3.2.2 Output File Specification

The result of the encryption operation is a ciphertext file. One ciphertext file is created for each input file that is encrypted.

By default, the ENCRYPT command writes each ciphertext file to a separate output file with the same name except that it has a version number one higher than that of the current input file.

To specify an alternate output file specification, use the /OUTPUT qualifier. Specify only the file specification parts that you want to change from the defaults. For example, the following command encrypts all the files in the current directory that match the wildcard file specification *.COM. The /OUTPUT qualifier specifies that any output files created have a file type of .ENC. FRANCISSCOTT is the key used to encrypt the files.


 
$ ENCRYPT *.COM /OUTPUT=.ENC FRANCISSCOTT 
 

Do not specify a file that already exists. For example, you cannot name the output file NEWS.DAT;2 if NEWS.DAT;2 already exists. However, specifying NEWS.DAT as both the input and output files is valid.

3.2.3 Displaying Processing Information

By default, information about the encryption operation is not displayed. To display information about file encryption operations on SYS$COMMAND, use the /SHOW qualifier. The /SHOW qualifier has the format:

/SHOW=keyword

or

/SHOW=(keyword-list)

Specify one or more of the following keywords:

3.2.3.1 FILES Keyword

The FILES keyword displays the file specifications of the input and output files. For example, /SHOW=FILES in the following command specifies that each input and output file specification be displayed as it is encrypted.


$ ENCRYPT /SHOW=FILES *.COM FRANCISSCOTT 
 
%ENCRYPT-S-ENCRYPTED, DISK2:[FLYNN]MOVE.COM.2 encrypted to DISK2:[FLYNN]MOVE.COM;3 (8 blocks) 
. 
. 
. 

3.2.3.2 STATISTICS Keyword

Use the STATISTICS keyword to display encryption stream statistics after the completion of each file operation. The statistics displayed are:

The following command specifies that encryption stream statistics be displayed on SYS$COMMAND.


$ ENCRYPT /SHOW=STATISTICS *.COM FRANCISSCOTT 
 
%ENCRYPT-S-STATISTICS, encryption stream statistics: 
         Total Records: 65 
         Total Bytes: 4083 
         Total Time: 00:00:01.63 
. 
. 
. 
 

3.2.4 Specifying Files to Encrypt

To specify multiple input files, use the ENCRYPT command with wildcard characters in the input file specification.

The following ENCRYPT command qualifiers can help you select files:

3.2.4.1 /BACKUP Qualifier

The /BACKUP qualifier selects files for encryption according to the date of their most recent backup. This qualifier is meaningful only when used with either the /BEFORE or the /SINCE qualifier. The /BACKUP qualifier has the format:

/BACKUP /BEFORE[=time]

or

/BACKUP /SINCE[=time]

where

time is an OpenVMS time.

For more information on time specifications, see the OpenVMS DCL Dictionary. If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.

The following command selects for encryption all files in the current directory matching the wildcard file specification of *.COM that had backup copies made before 00:00:00 15-APR-2001.


 
$ ENCRYPT /BACKUP /BEFORE=15-APR-2001 *.COM FRANCISSCOTT 
 

Do not use the /BACKUP qualifier with either the /EXPIRED or the /MODIFIED qualifier.

3.2.4.2 /BEFORE Qualifier

The /BEFORE qualifier selects files for encryption that have a creation time before the time specified with the qualifier. The /BEFORE qualifier has the format:

/BEFORE[=time]

where

time is an OpenVMS time.

For more information on time specifications, see the OpenVMS DCL Dictionary. If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.

The following command selects for encryption all files in the current directory matching the wildcard file specification of *.COM that were created before 00:00:00 15-APR-2001.


 
$ ENCRYPT /BEFORE=15-APR-2001 *.COM FRANCISSCOTT 
 

3.2.4.3 /BY_OWNER Qualifier

The /BY_OWNER qualifier allows you to select files for encryption that have a particular owner User Identification Code (UIC). If no UIC is specified with the qualifier, the UIC of the current process is used. The /BY_OWNER qualifier has the format:

/BY_OWNER=uic

where uic is the UIC of the owner of the file.

For more information on specifying UIC format, see the OpenVMS DCL Dictionary.

The following command selects for encryption all files in the current directory owned by the user whose UIC is [FLYNN] that match the wildcard file specification of *.COM.


 
$ ENCRYPT /BY_OWNER=[FLYNN] *.COM FRANCISSCOTT 
 

3.2.4.4 /CONFIRM Qualifier

By default, all input files specified on the command line are processed without confirming that those files are selected for encryption. Use the /CONFIRM qualifier if you want a prompt with the name of each file selected for encryption. Your response determines whether or not a particular file is encrypted, as follows:
Response Meaning
YES Encrypt the file.
NO or [Return] Do not encrypt the file. This is the default.
QUIT or [Ctrl/Z] Do not encrypt the file or any subsequent files.
ALL Encrypt the file and all subsequent files.

The following command selects for encryption all files in the current directory matching the wildcard file specification of *.COM. Because the /CONFIRM qualifier is specified, the user is prompted on a file-by-file basis to confirm that each file is to be encrypted. Because the prompt is answered in the affirmative for the file MOVE.COM;3, the output file MOVE.COM;4 is created.


 
$ ENCRYPT /CONFIRM *.COM FRANCISSCOTT 
Encrypt DISK2:[FLYNN]MOVE.COM;3 ? [N] YES 
 

3.2.4.5 /EXCLUDE Qualifier

Use the /EXCLUDE qualifier to exclude one or more files from an encryption operation. If a file matches the file specification provided with the /EXCLUDE qualifier, the file will not be encrypted. The /EXCLUDE qualifier has the format:

/EXCLUDE=(file-spec[,...])

where

file-spec is the name of the file to remain unencrypted.

Wildcard characters are allowed in the file specification. There is no default for the file specification. Because directory files are never encrypted, you need not specify them with the /EXCLUDE qualifier. However, if you do specify /EXCLUDE=*.DIR , you will not get the warning message %ENCRYPT-W-FILNODIR, file encryption of directories is not supported, filename.dir .

The following command selects for encryption all files in the current directory that match the wildcard file specification of *.COM, except LOGIN.COM, which is specified with /EXCLUDE.


 
$ ENCRYPT /EXCLUDE=LOGIN.COM *.COM FRANCISSCOTT 
 

3.2.4.6 /EXPIRED Qualifier

The /EXPIRED qualifier selects files for encryption according to the dates on which they expire. (The expiration date is set with the SET FILE /EXPIRATION_DATE command.) This qualifier is meaningful only when used with either the /BEFORE or the /SINCE qualifier. The /EXPIRED qualifier has the format:

/EXPIRED /BEFORE[=time]

or

/EXPIRED /SINCE[=time]

where time is an OpenVMS time.

For more information on time specifications, see the OpenVMS DCL Dictionary. If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.

The following command selects for encryption all files in the current directory matching the wildcard file specification of *.COM that expire after 00:00:00 15-APR-2001.


 
$ ENCRYPT /EXPIRED /SINCE=15-APR-2001 *.COM FRANCISSCOTT 
 

Do not use the /EXPIRED qualifier with either the /BACKUP or the /MODIFIED qualifier.

3.2.4.7 /MODIFIED Qualifier

The /MODIFIED qualifier selects files for encryption according to the dates on which they were last modified. This qualifier is meaningful only when used with either the /BEFORE or the /SINCE qualifier. The /MODIFIED qualifier has the format:

/MODIFIED /BEFORE[=time]

or

/MODIFIED /SINCE[=time]

where

time is an OpenVMS time.

For more information on time specifications, see the OpenVMS DCL Dictionary. If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.

The following command selects for encryption all files in the current directory matching the wildcard file specification of *.COM that were modified after 00:00:00 15-APR-2001.


 
$ ENCRYPT /MODIFIED /SINCE=15-APR-2001 *.COM FRANCISSCOTT 
 

Do not use the /MODIFIED qualifier with either the /BACKUP or the /EXPIRED qualifier.

3.2.4.8 /SINCE Qualifier

The /SINCE qualifier selects for encryption files that have a creation date after the time specified with the qualifier. The /SINCE qualifier has the format:

/SINCE[=time]

where

time is an OpenVMS time.

For more information on time specifications, see the OpenVMS DCL Dictionary. If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.

The following command selects for encryption all files in the current directory matching the wildcard file specification of *.COM that were created after 00:00:00 15-APR-2001.


 
$ ENCRYPT /SINCE=15-APR-2001 *.COM FRANCISSCOTT 
 


Previous Next Contents Index