Encryption for OpenVMS Installation and Reference Manual


Previous Contents Index


ENCRYPT /CREATE_KEY

Creates a key definition to be used for encrypting files. The key is a string that represents the name under which the encryption key is stored in the key storage table.

Format

ENCRYPT /CREATE_KEY key-name key-value [qualifiers]


Parameters

key-name

Name under which the encryption key will be stored in the key storage table. Specify a character string, as follows:

Use a name that has meaning to you, to help you remember it.

Note

Key names beginning with ENCRYPT$ are reserved for Compaq.

key-value

String representing the value of the encryption key. Specify either ASCII text or a hexadecimal constant, as follows:

Qualifiers

/GROUP

Enters the key definition in the group key storage table.

/HEXADECIMAL

/NOHEXADECIMAL

Specifies that the value for the key is a hexadecimal number. Default: key values are interpreted as ASCII text characters (see the description of the key-value parameter).

/JOB

Enters the key definition in the job key storage table.

/LOG

Verifies successful creation of the key.

/PROCESS

Enters the key definition in the process key storage table.

/SYSTEM

Enters the key definition in the system key storage table.

Examples


  1.  
    $ ENCRYPT /CREATE_KEY HAMLET 
    _ Key value: "And you yourself shall keep the key of it" 
     
    

    This command defines a key named HAMLET with character string value And you yourself shall keep the key of it .


  2.  
    $ ENCRYPT /CREATE_KEY /HEXADECIMAL ARCANE 2F4A98F46BBC11D 
     
    

    This example defines a key named ARCANE with hexadecimal value 2F4A98F46BBC11D.


ENCRYPT /REMOVE_KEY

Deletes a key definition from a key storage table.

Format

ENCRYPT /REMOVE_KEY key-name [qualifiers]


Parameters

key-name

Key name previously stored in the key storage table with the ENCRYPT /CREATE_KEY command.

Qualifiers

/GROUP

Deletes the key definition from the group key storage table.

/JOB

Deletes the key definition from the job key storage table.

/PROCESS

Deletes the key definition from the process key storage table.

/SYSTEM

Deletes the key definition from the system key storage table.


Appendix B
Error Messages

The Encryption for OpenVMS commands can generate error and information messages. For descriptions of these messages and possible corrective actions, see the following sections:

B.1 ENCRYPT and DECRYPT Messages

The error messages documented in this section can be produced from the following commands:

ALGONEWAY, algorithm is one-way and not suitable for file encryption,

Explanation: The specified algorithm and mode cannot be used to decrypt data. Encryption does not let you encrypt files without being able to decrypt them.
User Action: Choose a different algorithm or mode.
ALGNOTSPEC, algorithm name specification is a required parameter,

Explanation: You omitted the name of the algorithm in a call to an Encryption routine.
User Action: Specify a three-character long algorithm name.
ALGSUBNOT, algorithm submode option not supported,

Explanation: You supplied a submode parameter to an encryption primitive entry point that is not supported by the available implementation.
User Action: Verify that the contents of the algorithm control mask parameter are correct for the selected algorithm.
AUTHGEN, Authentication code generated for file: file-spec,

Explanation: A message authentication code (MAC) has been calculated for an existing file.
User Action: No action required.
AUTHMATCH, File file-spec successfully authenticated,

Explanation: The computed message authentication code (MAC) for the file matches the previously stored MAC.
User Action: No action required.
AUTHMISM, File authentication code mismatch for file: file-spec,

Explanation: The contents of the file have changed because the MAC does not match the one stored in the database. This may indicate file tampering.
User Action: First check the contents of the file, and then make sure that it belongs in your directory.
CONINIERR, unable to initialize the work area for the algorithm selected,

Explanation: The context and work area contain inconsistent check data and are assumed to be corrupted or incorrectly initialized.
User Action: Verify that the following took place:
CONLENERR, context area length error,

Explanation: The context and work area supplied to the encryption primitive routine was not long enough for the encryption primitive routine to operate. This error is expected only if you make direct use of the encryption primitive entry points when the ENCRYPT$ library routines attempt to allocate the correct length of the context area from free memory.
User Action: Verify that the symbol used as the size of the context area is correct for the selected algorithm and that the resulting size reflects the minimum requirements for the encryption primitive routine.
CONNOTINI, context area not yet initialized,

Explanation: The Context Block has not been initialized by either ENCRYPT$INIT or ENCRYPT$K_FNC$INIT.
User Action: Check your program to be sure that the Context Block is initialized before an encryption or decryption operation.
CONPOIINI, context area pointer is already initialized or nonzero,

Explanation: An initialize call contained a nonzero context pointer.
User Action: Verify that the proper sequence of initialize, encrypt or decrypt, and finalize calls has referenced the pointer to the context area.
CRC FAIL, CRC comparison indicates tampered or corrupted file, file-spec,

Explanation: The cyclic redundancy check (CRC) value for the original plaintext file does not match the value of the decrypted file. Although the file has been saved, changes have occurred in the ciphertext file.
User Action: Do not rely on data in this file. Attempt to recover lost or corrupted information from backups or from the owner.
CRECONTIG, unable to create file as contiguous, file-spec,

Explanation: When a file is encrypted, file attributes are preserved in the encrypted file. One of the attributes specifies whether or not the original plaintext file was contiguous. When the file is decrypted, an attempt is made to create the output file with the same attribute. If the file cannot be created contiguously, this message results and a noncontiguous file is created.
User Action: If file contiguity is important, free up sufficient space on the output disk device so that it can contain the file in contiguous disk blocks. Purge files, delete unnecessary files, or select a different output device.
DBOPEN, Cannot open database file file-spec,

Explanation: Encryption could not access the database file you specified.
User Action: Check accompanying error messages for more information.
DBUNRDBL, Database is unreadable; check for correct key,

Explanation: You specified an incorrect encryption key. Only one key may be used for each database.
User Action: Use the correct key. Specify the same key you used when you originally updated the MAC.
DECRYPTED, file decrypted as specified,

Explanation: The file was decrypted as specified.
User Action: None.
ENCRYPTED, file encrypted as specified,

Explanation: The file was encrypted as specified.
User Action: None.
FILBADBLK, file contains bad blocks, processing not attempted, file-spec,

Explanation: You tried to encrypt a file containing bad blocks.
User Action: Ensure that any wildcard file specification does not include the name of the file that triggers this error. Do not delete the file before consulting with your system manager about how to recover the contents of the file or how to remove it from your directory.
FILDISKONLY, file encryption/decryption is supported for disk files only, file-spec,

Explanation: You attempted an encryption operation on either an input or output file that does not reside on a disk device, the only devices that are supported.
User Action: Copy the files to a disk device before attempting an encryption or decryption operation.
FILNODIR, file encryption of directories is not supported, file-spec,

Explanation: You attempted a file encryption operation on a directory file. The file encryption services are intended for user files only. The encryption and decryption of directories is not supported.
User Action: Ensure that any wildcard file specification does not include directory files. If you are at DCL level, use the /EXCLUDE=.DIR qualifier in the ENCRYPT or DECRYPT commands. If you are operating at the application program interface level, filter each file specification before calling ENCRYPT$ENCRYPT_FILE.

To encrypt whole directory structures, use the BACKUP utility with the /ENCRYPT qualifier.

FILNOPPF, file encryption of a process-permanent file is not supported, file-spec,

Explanation: You attempted a file encryption operation on a process-permanent file. Process-permanent files, even though they can reside on a disk as batch or log files, are presented to a process as though they were record devices and cannot be treated as disk files.
User Action: Reconstruct the batch or command file to copy input data to a temporary disk file before encrypting or decrypting the data to a disk file; then copy it to the output log as appropriate.
FILESTRUCT, input file structure error, file-spec,

Explanation: An internal logic error occurred when data from a compressed, encrypted file was decompressed.
User Action: Contact your Compaq support representative.
FILSTRUNS, structure of encrypted file is unsupported, file-spec,

Explanation: A file encrypted with the file encryption routine contains a routine version number to track any future enhancements of the file structure. If a file created by a later version of the software is presented to an earlier version for decryption, this message results.

Encryption is upward compatible --- files encrypted with the current Encryption for OpenVMS version can be decrypted using a later version. But, the reverse is not necessarily always possible.

This error can also indicate an attempt to decrypt a file using the incorrect key.
User Action: None. The file cannot be decrypted with the current software version.

HIGHVER, creating output file for which higher versions exist, file-spec,

Explanation: When creating an output file during file encryption or decryption, you supplied an output file specification that forced the creation of a file with a version number lower than another file in the directory.
User Action: If this is not the intended action, provide a file specification that does not force a version number value with the /OUTPUT=filename qualifier.
ILLALGMOD, algorithm submode selection unknown or unsupported,

Explanation: This error indicates that you specified a submode code that the indicated algorithm does not support. This error results only if there is a parameter error in a direct call to an encryption primitive routine.
User Action: Verify that the algorithm selected makes use of the submode code supplied.
ILLALGSEL, algorithm selection unknown or unsupported,

Explanation: You supplied an algorithm code to a function that is not supported or installed on this system.
User Action: None. That algorithm may not be used in this installation.
ILLDESTYP, illegal descriptor type for specifying parameter,

Explanation: You passed a descriptor address as a parameter to the routine returning this error. The descriptor type field indicates that this descriptor type is not supported for passing of parameters.
User Action: Verify that the descriptors passed conform to the specified type requirements. It may be necessary to explicitly initialize the descriptor type field to avoid default or uninitialized values.
IMGVERNEQ, algorithm image version is no longer supported,

Explanation: An upgrade to a newer version of the software is incomplete. Former Encryption for OpenVMS images remain on your system.
User Action: Re-install the Encryption for OpenVMS software.
INCKEYDEF, incompatible key definition,

Explanation: The specified key does not meet the requirements of the specified algorithm.
User Action: Select a different key value or, if the key value has been randomly generated as part of the user application, generate another value.
INPLENERR, input length does not meet algorithm requirements,

Explanation: The input data length is not valid. The DESECB and DESCBC modes require input data that is a multiple of 8 bytes in length. The basic algorithm operates only on 64 bits of data in each pass. Ensure that the input data length is a multiple of 8 bytes.
User Action: Revise the input data length to be a multiple of 8 bytes.
INSCONSPA, insufficient context space to support this algorithm's needs,

Explanation: The ENCRYPT$INIT function attempted to allocate space from dynamic memory for a buffer to contain the encryption stream context and work area. This memory allocation failed.
User Action: Increase the process parameters to permit more virtual memory, or reconstruct your application to leave more virtual memory available for system library and encryption functions.
INSTALLIT, key translation error in Encryption for OpenVMS indicates that product installation may not be complete,

Explanation: The Encryption startup procedure SYS$STARTUP:ENCRYPT$START.COM has not executed.
User Action: Execute the startup procedure from the system manager's account.
INVARGCOU, invalid argument count for ENCRYPT$ routine,

Explanation: You did not supply enough arguments to one of the Encryption for OpenVMS library routines to initiate the indicated function.
User Action: Verify the call format and specify the correct number of arguments.
INVARGVAL, invalid argument value and/or count,

Explanation: The routine issuing this message was called with an invalid argument count or value.
User Action: Verify the callable routine sequences.
INVFLAGS, invalid options flags specified,

Explanation: Invalid option flag bits were set in the flags argument to an Encryption routine.
User Action: Correct the program to properly initialize unused bits in the flags argument longword to zero.
INVROUNDUP, invalid algorithm block buffer roundup specification,

Explanation: An internal error has occurred.
User Action: Contact your Compaq support representative.
INVWEAK_KEY, key rejected; use of weak key for file encryption is invalid,

Explanation: A weak key was specified for a file encryption operation.
User Action: Specify a different key value.
KEYBUFCKS, checksum of encrypted file key is invalid,

Explanation: The checksum of the stored random key (under which the file is actually encrypted) is incorrect following decryption using the specified decryption key. This usually means that the incorrect key has been specified.
User Action: Determine the correct key with which to decrypt the file.
KEYLENERR, key length does not meet algorithm requirements,

Explanation: The key length does not contain enough characters. The DES algorithm requires a minimum of 8 bytes for its key string. Other algorithms may have other requirements.
User Action: Redefine a key containing more characters.
KEYPARERR, key parity error,

Explanation: The DES algorithm requires that the key string extracted from key storage have odd-bit parity in each byte. In normal operating mode, the algorithm forces odd parity before using the key. Under certain conditions, the encryption primitive routine can be called directly with parameters that suppress the forcing of odd parity. In that case, if the key has incorrect parity, this error will be returned.
User Action: Revise the DES call parameter to force generation of odd parity, or reinsert the key string into key storage and indicate that odd parity is to be set.
KEYTRNERR, unable to obtain key value from key storage,

Explanation: You supplied a key name that is not found in the key storage table.
User Action: Verify that the key is defined as intended and that the name is supplied to the initialize function correctly.
KEYUNKNOW, key name unknown,

Explanation: You specified a key incorrectly.
User Action: Verify the key name (for example, check the spelling) and specify it correctly.
NEWDB, new authentication code database has been created,

Explanation: A new database is created to store binary message authentication code (MAC) values.
User Action: No action required.
NEWSECDB, New authentication security settings database has been created,

Explanation: A new security database is created to store binary message authentication code (MAC) values.
User Action: None.
NODECRYPT, decrypt operations are not permitted on this context/stream,

Explanation: Decryption is not permitted when the context has been initialized for encryption.
User Action: Reinitialize the context to permit decryption.
NOENCRYPT, encrypt operations not permitted on this context/stream,

Explanation: Encryption is not permitted when the context has been initialized for decryption.
User Action: Reinitialize the context to permit encryption.
NOENTRY, file file-spec does not appear in the authentication database,

Explanation: The file does not have an associated message authentication code (MAC) stored in the MAC database. The file is either new, renamed, or has not been associated with a MAC.

Sometimes this message is an indication of file tampering.
User Action: Determine whether the file belongs in this database.

NOKGENROU, no key generation routine is provided for this algorithm,

Explanation: The specified algorithm did not contain a random key generation routine.
User Action: Contact your Compaq support representative.
NOKTSTROU, no key filter routine is provided for this algorithm,

Explanation: The specified algorithm did not contain a key filter routine.
User Action: Contact your Compaq support representative.
NOTAUTHDB, file file-spec is not an authentication database,

Explanation: The file you specified is not a database created by the Encryption for OpenVMS software. It is not usable as an authentication database.
User Action: Use a different file specification.
NOTDEL, error prevents deletion of file file-spec,

Explanation: You specified the /DELETE qualifier when encrypting or decrypting a file, but you lack delete access to this file.
User Action: Change the file protection and delete the file using the DCL DELETE command.
NOTESTROU, no test routine is available for this algorithm,

Explanation: The specified algorithm did not contain a test routine.
User Action: Contact your Compaq support representative.
NOTHEXVAL, key value not hexadecimal constant,

Explanation: You specified a key value that is not a hexadecimal constant with ENCRYPT /CREATE_KEY /HEXADECIMAL.
User Action: Either remove the /HEXADECIMAL qualifier or ensure that the key value string is composed of digits in the range 0 to 9 and A to F.
NOTSECDB, Setting is not in security database,

Explanation: The file you specified is not a security database created by the Encryption for OpenVMS software. It is not usable as a security authentication database.
User Action: Validate that the file specification is correct. The Encryption for OpenVMS software creates the file ENCRYPT$MAC_SEC.DAT in the SYS$LOGIN directory by default.
NOTYETIMP, this function is not yet implemented,

Explanation: The call requested a function that has not been implemented.
User Action: Contact your Compaq support representative.
OUTLENERR, output length does not meet algorithm requirements,

Explanation: You did not supply an output buffer long enough to hold the output from the encryption or decryption operation. Because some algorithms increase or decrease data-byte count, check the requirements of the different algorithms.
User Action: Supply a larger output buffer.
PARSEFAIL, error parsing file-spec,

Explanation: Encryption could not locate the file you specified in an ENCRYPT or a DECRYPT command.
User Action: Check the file name that you specified. An accompanying RMS message gives additional information about the error. Re-enter the command using the correct file name.
SECAUTHGEN, Security authentication code generated for filename,

Explanation: A message authentication code (MAC) has been calculated for the specified file based on the file's security settings.
User Action: None.
SECAUTHMATCH, Security settings for filename successfully authenticated,

Explanation: The computed message authentication code (MAC) for the file matches the previous stored MAC in the security database.
User Action: None.
SECAUTHMISM, Security authentication code mismatch for file filename,

Explanation: The security settings of the file have changed because the message authentication code (MAC) does not match the MAC stored in the security database. This may indicate security settings tampering.
User Action: Perform a $ DIRECTORY/SECURITY on the file to validate the file has the proper security settings.
SECNOENTRY, Security entry for filename does not appear in security database,

Explanation: The file does not have an assoicated message authentication code (MAC) stored in the security database. The file is either new, renamed, or has not been associated with a MAC. Sometimes this message is an indication of file tampering.
User Action: Determine whether the file belongs in this database.
SECSUMM1, Summary: Security settings authenticated: n,

Explanation: Lists the number of files whose message authentication codes (MACs) match previously stored MACs.
User Action: None.
SECSUMM2, Security settings failing authentication: n,

Explanation: Lists the number of files whose message authentication codes (MACs) do not match previously stored MACs.
User Action: None.
SECSUMM3, Security settings not in database: n,

Explanation: Lists the number of files with no associated message authentication codes (MACs).
User Action: None.
SECUPDENT, Authentication code for security settings of file filename has been updated,

Explanation: The message authentication code (MAC) based upon the security settings of the file have been updated with a new MAC in the security database.
User Action: None.
STATISTICS, encryption stream statistics,

Explanation: This message precedes the display of encryption statistics when the /SHOW qualifier has been specified with either the STATISTICS or the ALL keyword.
User Action: None. This is a success message.
SUMMARY1, Files successfully authenticated: n,

Explanation: Lists the number of files whose message authentication codes (MACs) match previously stored MACs.
User Action: No action required.
SUMMARY2, Files failing authentication: n,

Explanation: Lists the number of files whose MACs do not match previously stored MACs.
User Action: No action required.
SUMMARY3, Files not in database: n,

Explanation: Lists the number of files with no associated MACs.
User Action: No action required.
TESTFAIL, test failed. Test Number: n,

Explanation: One of the tests for the encryption primitive routine failed, indicating that the algorithm is not operating correctly.
User Action: Contact the supplier of the algorithm.
UNSFTR, Feature feature-name, written by product version version-number is not supported,

Explanation: Encryption is unable to decrypt the specified file correctly. When the severity is W, the file is decrypted, but a processing feature is omitted. When the severity is E, the file is not decrypted.
User Action: Decrypt the file on a system running the Encryption for OpenVMS version displayed in the error message. Or, upgrade to the current version of Encryption for OpenVMS.
UNSAGTFMT, algorithm dispatch table format is not supported,

Explanation: An upgrade to a newer version of Encryption for OpenVMS is incomplete. Former Encryption images remain on your system.
User Action: Re-install the Encryption fpr OpenVMS software.
UPDENTRY, authentication code for file file-spec has been updated,

Explanation: The message authentication code (MAC) in the database file is updated to a new MAC.
User Action: No action required.
UPDSECENT, Security authentication code for file filename has been updated,

Explanation: A new MAC, based upon the security settings of the file that was specified, has been created and stored in the security settings database.
User Action: None.
WEAK_KEY, key value is rejected by key filter as weak or incompatible,

Explanation: The specified key value is rejected as a weak key by the encryption primitive routine.
User Action: You can choose to use the weak key for encryption or you can specify a different key value.


Previous Next Contents Index