Previous | Contents | Index |
By default, information about the decryption operation is not displayed on SYS$COMMAND. To display this information, use the /SHOW qualifier. The /SHOW qualifier has the format:
/SHOW=keyword
or
/SHOW=(keyword-list)
Specify one or more of the following keywords:
Use the FILES keyword to display the input and output file specifications as decryption proceeds. For example, /SHOW=FILES in the following command specifies that each input and output file specification be displayed as it is decrypted.
$ DECRYPT /SHOW=FILES *.COM FRANCISSCOTT %ENCRYPT-S-DECRYPTED, DISK2:[FLYNN]MOVE.COM.3 decrypted to DISK2:[FLYNN]MOVE.COM;4 (8 blocks) . . . |
Use the STATISTICS keyword to display encryption stream statistics after the completion of each file decryption operation. The statistics displayed are:
Bytes processed
Internal records processed
CPU time consumed within the encryption algorithm
The following command specifies that the decryption stream statistics be displayed on SYS$COMMAND.
$ DECRYPT /SHOW=STATISTICS *.COM FRANCISSCOTT %ENCRYPT-S-STATISTICS, encryption stream statistics: Total Records: 65 Total Bytes: 4083 Total Time: 00:00:00:01.63 . . . |
You can use the DECRYPT command to specify multiple input files by using wildcard characters in the input file specification. The command also provides the following qualifiers for selecting files:
The following sections describe these qualifiers.
3.5.4.1 /BACKUP Qualifier
The /BACKUP qualifier selects files for decryption according to the date of their most recent backup. This qualifier is meaningful only when used with either the /BEFORE or the /SINCE qualifier. The /BACKUP qualifier has the format:
/BACKUP /BEFORE[=time]
/BACKUP /SINCE[=time]
where
time is an OpenVMS time.
For more information on time specifications, see the OpenVMS DCL Dictionary. If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.
The following command selects for decryption all files in the current directory matching the wildcard file specification of *.COM that had backup copies made before 00:00:00 15-APR-2001.
$ DECRYPT /BACKUP /BEFORE=15-APR-2001 *.COM FRANCISSCOTT |
Do not use the /BACKUP qualifier with either the /EXPIRED or the
/MODIFIED qualifier.
3.5.4.2 /BEFORE Qualifier
The /BEFORE qualifier selects files for decryption that have a creation date before the time specified with the qualifier. The /BEFORE qualifier has the format:
/BEFORE[=time]
where
time is an OpenVMS time.
For more information on time specifications, see the OpenVMS DCL Dictionary. If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.
The following command selects for decryption all files in the current directory matching the wildcard file specification of *.COM that were created before 00:00:00 15-APR-2001.
$ DECRYPT /BEFORE=15-APR-2001 *.COM FRANCISSCOTT |
Use the /BY_OWNER qualifier to select files for decryption that have a particular owner User Identification Code (UIC). If no UIC is specified with the qualifier, the UIC of the current process is used. The /BY_OWNER qualifier has the format:
/BY_OWNER=uic
where
uic is the UIC of the owner of the file.
For more information on UIC format, see the OpenVMS DCL Dictionary. The following command selects for decryption all files in the current directory owned by the user whose UIC is [FLYNN] that match the wildcard file specification of *.COM.
$ DECRYPT /BY_OWNER=[FLYNN] *.COM FRANCISSCOTT |
By default, all input files specified on the command line are processed without confirming that each file is selected for decryption. Use the /CONFIRM qualifier if you want a prompt with the name of each file selected for decryption. Your response controls whether or not a particular file is decrypted.
You can choose any of the following responses:
Response | Meaning |
---|---|
YES | Decrypt the file. |
NO or [Return] | Do not decrypt the file. This is the default. |
QUIT or [Ctrl/Z] | Do not decrypt the file or any subsequent files. |
ALL | Decrypt the file and all subsequent files. |
The following command selects all files in the current directory matching the wildcard file specification of *.COM for decryption. Because the /CONFIRM qualifier is specified, the user is prompted on a file-by-file basis to confirm that each file is to be decrypted. Because the prompt is answered in the affirmative for the file MOVE.COM;3, the output file MOVE.COM;4 is created.
$ DECRYPT /CONFIRM *.COM FRANCISSCOTT Decrypt DISK2:[FLYNN]MOVE.COM;3 ? [N] YES |
Use the /EXCLUDE qualifier to exclude one or more files from a decryption operation. If a file matches the file specification provided with the qualifier, the file is not decrypted. The /EXCLUDE qualifier has the format:
/EXCLUDE=(file-spec[,...])
where
file-spec is the file specification of the file to remain encrypted.
When specifying only one file, you can omit the parentheses. Wildcard characters are allowed in the file specification. With the /EXCLUDE qualifier, there is no default for the file specification.
Since directory files are never encrypted, you need not specify them with the /EXCLUDE qualifier. However, if you do specify /EXCLUDE=*.DIR , you will not get the warning message %ENCRYPT-W-FILNODIR, file encryption of directories is not supported, filename.dir .
The following command selects for decryption all files in the current directory that match the wildcard file specification of *.COM, except LOGIN.COM, which is specified with /EXCLUDE.
$ DECRYPT /EXCLUDE=LOGIN.COM *.COM FRANCISSCOTT |
The /EXPIRED qualifier selects files for decryption according to the dates on which they expire. (The expiration date is set with the SET FILE/EXPIRATION_DATE command.) This qualifier is meaningful only when used with either the /BEFORE or the /SINCE qualifier. The /EXPIRED qualifier has the format:
/EXPIRED /BEFORE[=time] /EXPIRED /SINCE[=time]
where
time is an OpenVMS time.
For more information on time specifications, see the OpenVMS DCL Dictionary. If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.
The following command selects for decryption all files in the current directory matching the wildcard file specification of *.COM that expire after 00:00:00 15-APR-2001.
$ DECRYPT /EXPIRED /SINCE=15-APR-2001 *.COM FRANCISSCOTT |
Do not use the /EXPIRED qualifier with either the /BACKUP or the
/MODIFIED qualifier.
3.5.4.7 /MODIFIED Qualifier
The /MODIFIED qualifier selects files for decryption according to the dates on which they were last modified. This qualifier is meaningful only when used with either the /BEFORE or the /SINCE qualifier. The /MODIFIED qualifier has the format:
/MODIFIED /BEFORE[=time] /MODIFIED /SINCE[=time]
where
time is an OpenVMS time.
For more information on time specifications, see the OpenVMS DCL Dictionary. If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.
The following command selects for decryption all files in the current directory matching the wildcard file specification of *.COM that were modified after 00:00:00 15-APR-2001.
$ DECRYPT /MODIFIED /SINCE=15-APR-2001 *.COM FRANCISSCOTT |
Do not use the /MODIFIED qualifier with either the /BACKUP or the
/EXPIRE qualifier.
3.5.4.8 /SINCE Qualifier
The /SINCE qualifier selects files for decryption that have a creation date after the time specified with the qualifier. The /SINCE qualifier has the format:
/SINCE[=time]
where
time is an OpenVMS time.
For more information on time specifications, see the OpenVMS DCL Dictionary. If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.
The following command selects for decryption all files in the current directory matching the wildcard file specification of *.COM that were created after 00:00:00 15-APR-2001.
$ DECRYPT /SINCE=15-APR-2001 *.COM FRANCISSCOTT |
By default, the input file is retained after a file is decrypted and written to the resulting output file. To save space, after you have decrypted a file, you may want to remove the encrypted file from your disk.
You can use the DCL DELETE command with the /ERASE qualifier to remove
the contents of the file from the disk, or you can use the /DELETE and
/ERASE qualifiers with the DECRYPT command.
3.5.5.1 /DELETE Qualifier
The /DELETE qualifier deletes the input file after the decryption operation completes and the output file is written and closed. If you have multiple versions of the input file, they are not all deleted. /DELETE acts on only the version of the input file that you encrypted.
The following command specifies that the SAVEDMAIL.MAI file be decrypted using the TWENTYFIVECENTS encryption key. Because the /DELETE qualifier is specified, the input file is deleted after the output file is written.
$ DECRYPT /DELETE SAVEDMAIL.MAI TWENTYFIVECENTS |
To prevent disk scavenging, use the /ERASE qualifier with the /DELETE qualifier. For example, the following command decrypts the SAVEDMAIL.MAI file using the TWENTYFIVECENTS encryption key, erases the input file with the data security pattern, and deletes the file.
$ DECRYPT /DELETE /ERASE SAVEDMAIL.MAI TWENTYFIVECENTS |
With the following command, the SAVEDMAIL.MAI file is decrypted using the TWENTYFIVECENTS encryption key, but the input file is not erased with the data security pattern before being deleted.
$ DECRYPT /DELETE /NOERASE SAVEDMAIL.MAI TWENTYFIVECENTS |
The algorithm qualifier you use to encrypt determines the correct decryption procedure:
The /KEY_ALGORITHM qualifier has the format:
/KEY_ALGORITHM=algorithm
where
algorithm is one of the following values:
For example, if SAVEDMAIL.MAI is encrypted with /KEY_ALGORITHM=DESCFB, decrypt the file with the same /KEY_ALGORITHM=DESCFB qualifier, as follows:
$ ENCRYPT /KEY_ALGORITHM=DESCFB SAVEDMAIL.MAI TWENTYFIVECENTS $ DECRYPT /KEY_ALGORITHM=DESCFB SAVEDMAIL.MAI TWENTYFIVECENTS |
The OpenVMS BACKUP utility provides protection against file or volume corruption by creating functionally equivalent backup copies. Files created by BACKUP are called save sets and are written in BACKUP format so that only BACKUP can interpret the data in a save set. See the OpenVMS System Management Utilities Reference Manual for more information on the BACKUP utility. When you create save sets, you can also encrypt them by using the BACKUP /ENCRYPT command.
Standalone BACKUP, which is a version of the BACKUP utility that runs without the support of the OpenVMS operating system, does not support the /ENCRYPT qualifier. |
BACKUP /ENCRYPT requires a key. All the files in the save set are encrypted under the same key. When you use the /ENCRYPT qualifier to specify a write operation for an encrypted save set, the BACKUP utility creates a key by generating a 16-byte random number from the time of day and other transient data. To make this random number even more random, BACKUP encrypts this 16-byte value once using itself as a key with the DESCBC algorithm. The first eight bytes of the result are used as the encrypting key for the save set, and the second eight bytes are used as the initialization vector for the context area.
One benefit of this procedure is that two save sets created with the same command from the same set of files are not identical in their encrypted form.
You can override the system-generated encrypting key and initialization vector by issuing either of the following commands:
For greater security, specify the /ENCRYPT qualifier with no parameters. The software prompts you for a key value. When you enter it, the software does not echo what you type and, for verification, prompts you to retype the value.
If you define a key with the ENCRYPT /CREATE_KEY command, specify that key name on the BACKUP command line with the /ENCRYPT=(NAME=key-name) qualifier.
By default, BACKUP encrypts save set data using the DESCBC algorithm. The key and algorithm you specify to override the defaults are used to encrypt only the data key and the initialization vector.
BACKUP places the result of the encryption operation in the save set as a BACKUP attribute subrecord of the BACKUP summary record. At the time of a save set restore or listing operation, BACKUP uses the system-generated key or the key you supplied to decrypt the data key and the initialization vector value.
The BACKUP command qualifier /SAVE_SET is both an input save set qualifier and an output save set qualifier, as follows:
The following example creates an encrypted BACKUP file of the default directory, as follows:
$ ENCRYPT /CREATE_KEY SANFRANCISCO "A city set on a hill cannot be hid" $ BACKUP /ENCRYPT=(NAME=SANFRANCISCO) * MKA600:28JULSAVE.BCK /SAVE_SET |
The following example creates a save set of the latest version of all the files on a disk. The save set is encrypted using the DESCFB algorithm and the key value Make peace .
$ BACKUP /ENCRYPT=(VALUE="Make peace",ALGORITHM=DESCFB) *.* 28JULSAVE /SAVE_SET |
When you encrypt a save set, BACKUP does not store the information within the save set. Consequently, to decrypt an encrypted save set, specify /ENCRYPT with the RESTORE command so that BACKUP searches for the data encryption control record.
If you restore an unencrypted save set and mistakenly specify /ENCRYPT, BACKUP ignores the incorrect qualifier. If you try to restore an encrypted saveset without the /ENCYRPT qualifier or with a key name, you get the error message:
%BACKUP-F-ENCSAVSET, save set is encrypted, /ENCRYPT must be specified |
The following commands restore file SALARY.DAT from a save set created with a BACKUP /ENCRYPT command:
$ ENCRYPT /CREATE_KEY CASTERBRIDGE "And all her shining keys" $ BACKUP /ENCRYPT=(NAME=CASTERBRIDGE) _$ From: MKA600:28JULSAVE.BCK /SELECT=SALARY.DAT _$ To: SALARY28J.DAT |
BACKUP tries to decrypt an encrypted save set by:
%BACKUP-F-ENCKEYMAT, the supplied decryption key does not yield a readable save set |
BACKUP /ENCRYPT can create a distribution disc that is useful only to a customer who has the key used to encrypt the save sets in the distribution kit.
In the following example, three keys are defined with ENCRYPT /CREATE_KEY commands. With each of these keys, a software distribution disc is created with each product encrypted into its respective save set under a unique key.
$ ENCRYPT /CREATE_KEY SDXKEY "SDX V9.0 kit 99804034671838302" $ BACKUP /ENCRYPT=(NAME=SDXKEY) /REWIND - _From: MASTER:[SDXKIT]*.* MKA600:SDXKIT /SAVE_SET $ ENCRYPT /CREATE_KEY RQPKEY "RQP V4.5 kit FWTEBCJDITROEMMKAZXRYTC" $ BACKUP /ENCRYPT=(NAME=RQPKEY) - _From: MASTER:[RQPKIT]*.* MKA600:RQPKIT /SAVE_SET $ ENCRYPT /CREATE_KEY WOLKEY "WOL V2.0 kit 28374UEJDTLHGD84JF849SK95KD0" $ BACKUP /ENCRYPT=(NAME=WOLKEY) - _From: MASTER:[WOLKIT]*.* MKA600:WOLKIT /SAVE_SET |
The resulting save sets can be restored on a customer's system only if the customer has received the appropriate key by licensing arrangement.
For example, the following commands restore save set WOLKIT:
$ ENCRYPT /CREATE_KEY WOLKEY "WOL V2.0 kit 28374UEJDTLHGD84JF849SK95KD0" $ BACKUP /ENCRYPT=(NAME=WOLKEY) MKA600:WOLKIT /SAVE_SET SYSTEM:[RQPKIT]*.* |
In the following example, the save set SDXKIT is restored without typing the key name and key value on the command line. Instead, the BACKUP /ENCRYPT command prompts for this information, which is not echoed on your screen.
$ BACKUP /ENCRYPT /REWIND MKA600:SDXKIT /SAVE_SET SYSTEM:[SDXKIT]*.* Enter Key Value: (input not echoed) Verify: (input not echoed) |
Previous | Next | Contents | Index |