Encrypting Files
| | |
| ||
| ||
After you define a key with the ENCRYPT /CREATE_KEY command, use this key to encrypt files. Enter the ENCRYPT command. In addition to the key, specify a plaintext file. The syntax of the ENCRYPT command is as follows:
ENCRYPT file-spec key-name [ qualifiers ]
where
| file-spec | is the plaintext input file specification. |
| key-name | is the name of the key. |
| qualifiers | are options that control the encryption process or the selection of files you want to encrypt. |
The following example shows how to define the key and to encrypt a testfile.txt file with the defined key using AES and DES algorithms:
|
|
|
If an AES key is required, the /DATA_ALGORITHM and /KEY_ALGORITHM have to be specified with an AES algorithm.
By default, encryption uses the DESCBC data algorithm, if the /DATA_ALGORITHM qualifier is not specified.
By default, encryption uses the DESCBC key algorithm, if the /KEY_ALGORITHM qualifier is not specified.
For the plaintext file specified on the ENCRYPT command line, use a file that resides on disk and that is not a directory file.
To specify multiple input files, use wildcard characters in the file specification. To control file selection, specify the appropriate ENCRYPT command qualifiers. Do not use wildcard characters to specify directory files or files containing bad blocks.
The result of the encryption operation is a ciphertext file. One ciphertext file is created for each input file that is encrypted.
By default, the ENCRYPT command writes each ciphertext file to a separate output file with the same name except that it has a version number one higher than that of the current input file.
To specify an alternate output file specification, use the /OUTPUT qualifier. Specify only the file specification parts that you want to change from the defaults. For example, the following command encrypts all the files in the current directory that match the wildcard file specification *.COM. The /OUTPUT qualifier specifies that any output files created have a file type of .ENC. FRANCISSCOTT is the key used to encrypt the files.
|
|
|
Do not specify a file that already exists. For example, you cannot name the output file NEWS.DAT;2 if NEWS.DAT;2 already exists. However, specifying NEWS.DAT as both the input and output files is valid.
By default, information about the encryption operation is not displayed. To display information about file encryption operations on SYS$COMMAND, use the /SHOW qualifier. The /SHOW qualifier has the format:
/SHOW=keyword
or
/SHOW=keyword-list
Specify one or more of the following keywords:
FILES
STATISTICS
The FILES keyword displays the file specifications of the input and output files. For example, /SHOW=FILES in the following command specifies that each input and output file specification be displayed as it is encrypted.
|
|
|
Use the STATISTICS keyword to display encryption stream statistics after the completion of each file operation. The statistics displayed are:
Bytes processed
Internal records processed
CPU time consumed within the encryption algorithm
The following command specifies that encryption stream statistics be displayed on SYS$COMMAND.
|
|
|
To specify multiple input files, use the ENCRYPT command with wildcard characters in the input file specification.
The following ENCRYPT command qualifiers can help you select files:
/BACKUP
/BEFORE
/BY_OWNER
/CONFIRM
/EXCLUDE
/EXPIRED
/MODIFIED
/SINCE
The /BACKUP qualifier selects files for encryption according to the date of their most recent backup. This qualifier is meaningful only when used with either the /BEFORE or the /SINCE qualifier. The /BACKUP qualifier has the format:
/BACKUP /BEFORE[=time]
or
/BACKUP /SINCE[=time]
where
time is an OpenVMS time.
If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.
The following command selects for encryption all files in the current directory matching the wildcard file specification of *.COM that had backup copies made before 00:00:00 15-APR-2009.
|
|
|
Do not use the /BACKUP qualifier with either the /EXPIRED or the /MODIFIED qualifier.
The /BEFORE qualifier selects files for encryption that have a creation time before the time specified with the qualifier. The /BEFORE qualifier has the format:
/BEFORE[=time]
where
time is an OpenVMS time.
If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.
The following command selects for encryption all files in the current directory matching the wildcard file specification of *.COM that were created before 00:00:00 15-APR-2009.
|
|
|
The /BY_OWNER qualifier allows you to select files for encryption that have a particular owner User Identification Code (UIC). If no UIC is specified with the qualifier, the UIC of the current process is used. The /BY_OWNER qualifier has the format:
/BY_OWNER=uic
where
uic is the UIC of the owner of the file.
The following command selects for encryption all files in the current directory owned by the user whose UIC is [FLYNN] that match the wildcard file specification of *.COM.
|
|
|
By default, all input files specified on the command line are processed without confirming that those files are selected for encryption. Use the /CONFIRM qualifier if you want a prompt with the name of each file selected for encryption. Your response determines whether or not a particular file is encrypted, as follows:
| Response | Meaning |
|---|---|
| YES | Encrypt the file. |
| NO or RETURN | Do not encrypt the file. This is the default. |
| QUIT or CTRL/Z | Do not encrypt the file or any subsequent files. |
| ALL | Encrypt the file and all subsequent files. |
The following command selects for encryption all files in the current directory matching the wildcard file specification of *.COM. Because the /CONFIRM qualifier is specified, the user is prompted on a file-by-file basis to confirm that each file is to be encrypted. Because the prompt is answered in the affirmative for the file MOVE.COM;3, the output file MOVE.COM;4 is created.
|
|
|
Use the /EXCLUDE qualifier to exclude one or more files from an encryption operation. If a file matches the file specification provided with the /EXCLUDE qualifier, the file will not be encrypted. The /EXCLUDE qualifier has the format:
/EXCLUDE=(file-spec[,...])
where
file-spec is the name of the file to remain unencrypted.
Wildcard characters are allowed in the file specification. There is no default for the file specification. Because directory files are never encrypted, you need not specify them with the /EXCLUDE qualifier. However, if you do specify /EXCLUDE=*.DIR, you will not get the warning message %ENCRYPT-W-FILNODIR, file encryption of directories is not supported, filename.dir.
The following command selects for encryption all files in the current directory that match the wildcard file specification of *.COM, except LOGIN.COM, which is specified with /EXCLUDE.
|
|
|
The /EXPIRED qualifier selects files for encryption according to the dates on which they expire. (The expiration date is set with the SET FILE /EXPIRATION_DATE command.) This qualifier is meaningful only when used with either the /BEFORE or the /SINCE qualifier. The /EXPIRED qualifier has the format:
/EXPIRED /BEFORE[=time]
or
/EXPIRED /SINCE[=time]
where
time is an OpenVMS time.
If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.
The following command selects for encryption all files in the current directory matching the wildcard file specification of *.COM that expire after 00:00:00 15-APR-2009.
|
|
|
Do not use the /EXPIRED qualifier with either the /BACKUP or the /MODIFIED qualifier.
The /MODIFIED qualifier selects files for encryption according to the dates on which they were last modified. This qualifier is meaningful only when used with either the /BEFORE or the /SINCE qualifier. The /MODIFIED qualifier has the format:
/MODIFIED /BEFORE[=time]
or
/MODIFIED /SINCE[=time]
where
time is an OpenVMS time.
If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.
The following command selects for encryption all files in the current directory matching the wildcard file specification of *.COM that were modified after 00:00:00 15-APR-2009.
|
|
|
Do not use the /MODIFIED qualifier with either the /BACKUP or the /EXPIRED qualifier.
The /SINCE qualifier selects for encryption files that have a creation date after the time specified with the qualifier. The /SINCE qualifier has the format:
/SINCE[=time]
where
time is an OpenVMS time.
If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.
The following command selects for encryption all files in the current directory matching the wildcard file specification of *.COM that were created after 00:00:00 15-APR-2009.
|
|
|
By default, when the ENCRYPT software encrypts an input file and writes the resulting output file, the input file is retained. However, do not encrypt a file and then leave the plaintext file online if you are concerned about the security of the file.
You can use the DCL DELETE command with the /ERASE qualifier to remove the contents of the plaintext file from the disk, or you can use the following qualifiers with the ENCRYPT command:
/DELETE
/ERASE
The /DELETE qualifier deletes the input file after the encryption operation completes and the output file is written and closed. If you have multiple versions of the input file, they are not all deleted. /DELETE acts on only the version of the input file that you encrypted.
To delete the unencrypted input file from the disk, use the /DELETE qualifier. The following command specifies that the SAVEDMAIL.MAI file be encrypted using the TWENTYFIVECENTS encryption key. Because the /DELETE qualifier is specified, the input file is deleted after the encrypted output file is written.
|
|
|
| |
| |
| |
 | NOTE: There may be scenarios when the ENCRYPT/COMPRESS command executes without error, but decryption fails. This can be catastrophic if the /DELETE qualifier is used, deleting the original BACKUP save-set file during the encrypt operation. Therefore, it is recommended not to use /DELETE qualifier along with the /COMPRESS qualifier. |
| |
| |
| |
When you delete or purge a file, the file's header record is destroyed so that the file can no longer be accessed by normal means. The information in the file, however, stays on the disk until it is overwritten. Disk scavenging is a technique used to obtain such file data from a disk. To thwart disk scavenging, use the /ERASE qualifier with the /DELETE qualifier. When you specify /ERASE, the OpenVMS operating system overwrites the location in which the input file was stored with the data security pattern. The data no longer exists.
The following command specifies that after SAVEDMAIL.MAI is encrypted, the input file is erased with the data security pattern before being deleted.
|
|
|
Files are encrypted using a randomly generated data key. One benefit of this procedure is that two files identical in plaintext form and encrypted with the same command are not identical in their encrypted form.
The Encryption for OpenVMS implementation of DES uses the following modes of the DES algorithm:
Cipher Block Chaining (DESCBC)
Electronic Code Book (DESECB)
Cipher Feedback (DESCFB)
These modes perform the encryption operation differently, as follows:
DESCBC (default)
Input is taken in 8-byte blocks.
DESCBC performs an exclusive OR operation (XOR) on each block. (An XOR is a bit-by-bit modulo-2 addition without carrying. For example, the result of performing an XOR on the binary numbers 001 and 111 is 110.)
The first XOR operation is performed on the first block of input and the initialization vector. (An initialization vector is used to start the chaining of data because there is no ciphertext to affect the encryption of the first block of data.)
The resulting block is encrypted.
The next XOR operation is performed on the resulting block of ciphertext and the next block of plaintext, and so on.
If fewer than 8 bytes are left for the last iteration, the block is padded with bytes of arbitrary value.
Each block of 8 bytes is encrypted under the same key value.
The DESCBC algorithm is used to encrypt the data key and the initialization vector. The encrypted key and initialization vector are stored with the encrypted file. The DESCBC algorithm is also used by default to encrypt the file data.
DESECB
Input is taken in 8-byte blocks.
If the input consists of less than 8 bytes, it is padded with nulls.
Each block is processed under the DES algorithm with the same key.
The result is an 8-byte block of output that is independent of all other blocks of output.
DESCFB
Input is taken as a series of 1-byte quantities.
They are shifted to the left and concatenated with the results of previous iterations.
DESCFB uses an initialization vector in the first iteration.
Only the exact number of bytes specified in the input are used.
The output byte count equals the input byte count (no padding).
AES algorithm uses the following modes:
Cipher block chaining:
AESCBC128 (default)
AESCBC192
AESCBC256
Electronic code book:
AESECB128
AESECB192
AESECB256
Cipher feedback:
AESCFB128
AESCFB192
AESCFB256
Output feedback:
AESOFB128
AESOFB192
AESOFB256
For details about the advantages of each mode, see one of the numerous texts available on this subject.
You can choose an encryption algorithm for encrypting either the data key or the file data. Figure 9-1 illustrates the relationship of encryption keys and algorithms. The figure shows that:
To encrypt the key — use the /KEY_ALGORITHM or /KEY_ALGORITHM=AESmmmkkk qualifier to specify an algorithm other than the default DESCBC or AESCBC128 algorithms.
To encrypt the file — use the /DATA_ALGORITHM or /DATA_ALGORITHM=AESmmmkkk qualifier to specify an algorithm other than the default DESCBC or AESCBC128 algorithms.
Here, mmm indicates the mode CBC, ECB, CFB, or OFB; and kkk indicates 128, 192, or 256 bits.
The qualifier you use affects the decryption procedure:
If you use the /DATA_ALGORITHM qualifier to encrypt, you do NOT need to specify this algorithm when you decrypt.
If you use the /KEY_ALGORITHM qualifier to encrypt, you DO need to specify this algorithm when you decrypt.
To specify an algorithm other than the default, to encrypt the key and initialization vector, use the /KEY_ALGORITHM qualifier. This qualifier has the format:
/KEY_ALGORITHM={DESCBC (default)|AESmmmkkk
For example, the following command uses the DESCFB algorithm with the TWENTYFIVECENTS key to protect the data key and the initialization vector.
|
|
|
You can use /KEY_ALGORITHM=AES as a shortcut for specifying AESCBC128. For example:
|
|
|
To specify an algorithm for encrypting files other than the default, use the /DATA_ALGORITHM qualifier. This qualifier has the format:
/DATA_ALGORITHM={DESCBC (default)|AESmmmkkk
For example, the following command encrypts the SAVEDMAIL.MAI file using the Cipher Feedback mode of the DES algorithm (DESCFB).
|
|
|
If you use the default value of DESCBC for the /DATA_ALGORITHM qualifier when encrypting a file, this qualifier is optional for decrypting the file.
You can use /DATA_ALGORITHM=AES as a shortcut for specifying AESCBC128. For example:
|
|
|
To select an algorithm other than the DESCBC default when encrypting files, Encrypt accepts the data and key algorithm qualifiers with the DCL ENCRYPT command and the key algorithm qualifier with the DECRYPT command.
When encrypting files with AES, specify both /DATA_ ALGORITHM=AESmmmkkk and /KEY_ALGORITHM=AESmmmkkk:
mmm defines the AES mode: ECB, CBC, CFB, or OFB
kkk defines the key size: 128, 192, or 256 bits (for 16-, 24- or 32-byte keys)
The key must match the key algorithm. An AES key must be used with an AES key algorithm, and a DES key must be used with the DES key algorithm. The data algorithm defaults to DES if the /DATA_ ALGORITHM=AESmmmkkk is not specified for the ENCRYPT command. When using DES keys and KEY_ALGORITHM=DES, the data is protected with a strong algorithm, but the key is not.
| |
| |
| |
| NOTE: The capability of mixing AES with DES keys and data algorithms is disabled and any attempt to mix the algorithms results in an ENCRYPT$_AESMIXDES error condition. |
| |
| |
| |
When decrypting files with AES, specify only the /KEY_ ALGORITHM=AESmmmkkk qualifier. The reason for this is that the key algorithm is used to decrypt the random-key record that contains the random key, which is then used to decrypt the data records of the file. Specifying the data algorithm is not necessary and it gives an unrecognized-qualifier error message.
| ||||
| | |||
| ||||
| NOTE: For an encrypt operation, if the /DATA_ALGORITHM=AES is specified
without the /KEY_ALGORITHM, an error occurs. The default algorithm
DESCBC is used to encrypt the random key record that contains the
random key and file information. However, the user key must match
the KEY algorithm; if not, an error occurs. For example, consider
that the key-name is an AES key name and value. When the key is fetched
from the logical name table and then is decrypted with the DES master
key, the key decrypts garbage, and the operation fails with the following
error message:
| |||
| ||||
| | |||
| ||||
To reduce the size of the plaintext file before encrypting it, use the /COMPRESS qualifier. Data compression can save media space when physically transporting encrypted files and can save time when electronically transporting encrypted files across a network.
Compression efficiency depends on the structure of the data in your file. Evaluate a performance tradeoff when deciding whether or not to use this qualifier. Decryption is generally faster on a compressed file, but encryption takes longer. You might choose to use the /COMPRESS qualifier when the following conditions apply:
The file will be decrypted many times.
The file is at least 200 disk blocks in size.
The following command compresses the SAVEDMAIL.MAI file before encrypting it.
| |
| |
| |
| NOTE: If you use the /COMPRESS qualifier when encrypting a file, you need not specify this qualifier when decrypting the file. If necessary, the file is automatically decompressed when it is decrypted. |
| |
| |
| |
|
|
|
| |
| |
| |
| NOTE: Do not use /DELETE qualifier with /COMPRESS because there may be scenarios when the ENCRYPT/COMPRESS command executes without error, but decryption fails. This can be catastrophic if the /DELETE qualifier is used, deleting the original BACKUP save-set file during the encrypt operation. |
| |
| |
| |