HP OpenVMS Guide to System Security: OpenVMS Version 8.4 > Chapter 9 Using Encryption

Decrypting Files

To gain access to the data in an encrypted file, decrypt the file using the DECRYPT command. Follow these steps:

  1. Specify the same key used to encrypt the file.

    See if you need to redefine the key using the ENCRYPT /CREATE_KEY command. For example, if the key was in the process key storage table and the process logged out, the key is no longer defined.

  2. Specify the algorithm with the /KEY_ALGORITHM qualifier, if you did not encrypt the file with the default algorithm.

DECRYPT file-spec key-name [ qualifiers ]

where

file-specis the name of the file.
key-nameis the name of the key.
qualifiersare options that control the decryption process or the selection of files you want to decrypt.

See the following example:

$ ENCRYPT/CREATE_KEY/AES MY_AES_KEY16 "My AES Key length>16"
$ ENCRYPT testfile.txt MY_AES_KEY16 /DATA_ALGORITHM=AESCBC128 /KEY_ALGORITHM=AESCBC128
$ DECRYPT testfile.txt MY_AES_KEY16 /KEY_ALGORITHM=AESCBC128
$!
$ ENCRYPT/CREATE_KEY/AES MY_AES_KEY24 "TEST My AES Key length>24"
$ ENCRYPT testfile.txt MY_AES_KEY24 /DATA_ALGORITHM=AESCBC192 /KEY_ALGORITHM=AESCBC192
$ DECRYPT testfile.txt MY_AES_KEY24 /KEY_ALGORITHM=AESCBC192
$!
$ ENCRYPT/CREATE_KEY/AES MY_AES_KEY32 "TEST TEST TEST My AES Key length>32"
$ ENCRYPT testfile.txt MY_AES_KEY32 /DATA_ALGORITHM=AESCBC256 /KEY_ALGORITHM=AESCBC256
$ DECRYPT testfile.txt MY_AES_KEY32 /KEY_ALGORITHM=AESCBC256
$!
$ ENCRYPT/CREATE_KEY MY_DES_KEY "This is My DES Key"
$ ENCRYPT testfile.txt MY_DES_KEY
$ DECRYPT testfile.txt MY_DES_KEY

Input File Specification

For the ciphertext file, which is the file to be decrypted, specify a file that resides on disk and that is not a directory file.

To specify multiple input files to the DECRYPT command, use wildcard characters in the file specification. To control file selection, specify the appropriate DECRYPT command qualifiers. Do not use wildcard characters to specify directory files or files containing bad blocks.

Output File Specification

The result of the decryption operation is a plaintext file. One plaintext file is created for each input file that is decrypted. By default, the DECRYPT command writes each plaintext file to a separate output file with a file specification that defaults to the input file specification with a version number that is one higher than that of the input file.

You can specify an alternate output file specification with the /OUTPUT qualifier. When specifying the /OUTPUT qualifier, you specify those parts of the file specification that you want to be different from the defaults. You do not need to specify an entire file specification; any fields omitted in the file specification default to the input file specification.

For example, the following DCL command selects for decryption all files in the current directory matching the wildcard file specification of *.ENC. The /OUTPUT qualifier specifies that any output files created have a file type of COM.

$ DECRYPT *.ENC/OUTPUT=.COM FRANCISSCOTT

Displaying Processing Information

By default, information about the decryption operation is not displayed on SYS$COMMAND. To display this information, use the /SHOW qualifier. The /SHOW qualifier has the format:

/SHOW=keyword

or

/SHOW=keyword-list

Specify one or more of the following keywords:

  • FILES

  • STATISTICS

FILES Keyword

Use the FILES keyword to display the input and output file specifications as decryption proceeds. For example, /SHOW=FILES in the following command specifies that each input and output file specification be displayed as it is decrypted.

$ DECRYPT /SHOW=FILES *.COM FRANCISSCOTT
%ENCRYPT-S-DECRYPTED, DISK2:[FLYNN]MOVE.COM.3 decrypted to 
  DISK2:[FLYNN]MOVE.COM;4 (8 blocks)           
.
.
.

STATISTICS Keyword

Use the STATISTICS keyword to display encryption stream statistics after the completion of each file decryption operation. The statistics displayed are:

  • Bytes processed

  • Internal records processed

  • CPU time consumed within the encryption algorithm

The following command specifies that the decryption stream statistics be displayed on SYS$COMMAND.

$ DECRYPT /SHOW=STATISTICS *.COM FRANCISSCOTT
%ENCRYPT-S-STATISTICS, encryption stream statistics:            
         Total Records: 65
         Total Bytes: 4083
         Total Time: 00:00:00:01.63
.        
.
.

Specifying Files to Decrypt

You can use the DECRYPT command to specify multiple input files by using wildcard characters in the input file specification. The command also provides the following qualifiers for selecting files:

  • /BACKUP

  • /BEFORE

  • /BY_OWNER

  • /CONFIRM

  • /EXCLUDE

  • /EXPIRED

  • /MODIFIED

  • /SINCE

The following sections describe these qualifiers.

/BACKUP Qualifier

The /BACKUP qualifier selects files for decryption according to the date of their most recent backup. This qualifier is meaningful only when used with either the /BEFORE or the /SINCE qualifier. The /BACKUP qualifier has the format:

/BACKUP /BEFORE[=time]

/BACKUP /SINCE[=time]

where

time is an OpenVMS time.

If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.

The following command selects for decryption all files in the current directory matching the wildcard file specification of *.COM that had backup copies made before 00:00:00 15-APR-2009.

$ DECRYPT /BACKUP /BEFORE=15-APR-2009 *.COM FRANCISSCOTT

Do not use the /BACKUP qualifier with either the /EXPIRED or the /MODIFIED qualifier.

/BEFORE Qualifier

The /BEFORE qualifier selects files for decryption that have a creation date before the time specified with the qualifier. The /BEFORE qualifier has the format:

/BEFORE[=time]

where

time is an OpenVMS time.

If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.

The following command selects for decryption all files in the current directory matching the wildcard file specification of *.COM that were created before 00:00:00 15-APR-2009.

$ DECRYPT /BEFORE=15-APR-2009 *.COM FRANCISSCOTT

/BY_OWNER Qualifier

Use the /BY_OWNER qualifier to select files for decryption that have a particular owner User Identification Code (UIC). If no UIC is specified with the qualifier, the UIC of the current process is used. The /BY_OWNER qualifier has the format:

BY_OWNER=uic/

where

uic is the UIC of the owner of the file.

/CONFIRM Qualifier

By default, all input files specified on the command line are processed without confirming that each file is selected for decryption. Use the /CONFIRM qualifier if you want a prompt with the name of each file selected for decryption. Your response controls whether or not a particular file is decrypted.

You can choose any of the following responses:

ResponseMeaning
YESDecrypt the file.
NO or RETURNDo not decrypt the file. This is the default.
QUIT or Ctrl/ZDo not decrypt the file or any subsequent files.
ALLDecrypt the file and all subsequent files.

The following command selects all files in the current directory matching the wildcard file specification of *.COM for decryption. Because the /CONFIRM qualifier is specified, the user is prompted on a file-by-file basis to confirm that each file is to be decrypted. Because the prompt is answered in the affirmative for the file MOVE.COM;3, the output file MOVE.COM;4 is created.

$ DECRYPT /CONFIRM *.COM FRANCISSCOTT 
Decrypt DISK2:[FLYNN]MOVE.COM;3 ? [N] YES

/EXCLUDE Qualifier

Use the /EXCLUDE qualifier to exclude one or more files from a decryption operation. If a file matches the file specification provided with the qualifier, the file is not decrypted. The /EXCLUDE qualifier has the format:

/EXCLUDE=((file-spec)[,...])

where

file-spec is the file specification of the file to remain encrypted.

When specifying only one file, you can omit the parentheses. Wildcard characters are allowed in the file specification. With the /EXCLUDE qualifier, there is no default for the file specification.

Since directory files are never encrypted, you need not specify them with the /EXCLUDE qualifier. However, if you do specify /EXCLUDE=*.DIR, you will not get the warning message %ENCRYPT-W-FILNODIR, file encryption of directories is not supported, filename.dir.

The following command selects for decryption all files in the current directory that match the wildcard file specification of *.COM, except LOGIN.COM, which is specified with /EXCLUDE.

$ DECRYPT /EXCLUDE=LOGIN.COM *.COM FRANCISSCOTT

/EXPIRED Qualifier

The /EXPIRED qualifier selects files for decryption according to the dates on which they expire. (The expiration date is set with the SET FILE/EXPIRATION_DATE command.) This qualifier is meaningful only when used with either the /BEFORE or the /SINCE qualifier. The /EXPIRED qualifier has the format:

/EXPIRED /BEFORE[=time]

/EXPIRED /SINCE[=time]

where

time is an OpenVMS time.

If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.

The following command selects for decryption all files in the current directory matching the wildcard file specification of *.COM that expire after 00:00:00 15-APR-2009.

$ DECRYPT /EXPIRED /SINCE=15-APR-2009 *.COM FRANCISSCOTT

Do not use the /EXPIRED qualifier with either the /BACKUP or the /MODIFIED qualifier.

/MODIFIED Qualifier

The /MODIFIED qualifier selects files for decryption according to the dates on which they were last modified. This qualifier is meaningful only when used with either the /BEFORE or the /SINCE qualifier. The /MODIFIED qualifier has the format:

/MODIFIED /BEFORE[=time]

/MODIFIED /SINCE[=time]

where

time is an OpenVMS time.

If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.

The following command selects for decryption all files in the current directory matching the wildcard file specification of *.COM that were modified after 00:00:00 15-APR-2009.

$ DECRYPT /MODIFIED /SINCE=15-APR-2009 *.COM FRANCISSCOTT

Do not use the /MODIFIED qualifier with either the /BACKUP or the /EXPIRE qualifier.

/SINCE Qualifier

The /SINCE qualifier selects files for decryption that have a creation date after the time specified with the qualifier. The /SINCE qualifier has the format:

/SINCE[=(time)]

where

time is an OpenVMS time.

If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.

The following command selects for decryption all files in the current directory matching the wildcard file specification of *.COM that were created after 00:00:00 15-APR-2009.

$ DECRYPT /SINCE=15-APR-2009 *.COM FRANCISSCOTT

Deleting Decrypted Files

By default, the input file is retained after a file is decrypted and written to the resulting output file. To save space, after you have decrypted a file, you may want to remove the encrypted file from your disk.

You can use the DCL DELETE command with the /ERASE qualifier to remove the contents of the file from the disk, or you can use the /DELETE and /ERASE qualifiers with the DECRYPT command.

/DELETE Qualifier

The /DELETE qualifier deletes the input file after the decryption operation completes and the output file is written and closed. If you have multiple versions of the input file, they are not all deleted. /DELETE acts on only the version of the input file that you encrypted.

The following command specifies that the SAVEDMAIL.MAI file be decrypted using the TWENTYFIVECENTS encryption key. Because the /DELETE qualifier is specified, the input file is deleted after the output file is written.

$ DECRYPT /DELETE SAVEDMAIL.MAI TWENTYFIVECENTS

/ERASE Qualifier

To prevent disk scavenging, use the /ERASE qualifier with the /DELETE qualifier. For example, the following command decrypts the SAVEDMAIL.MAI file using the TWENTYFIVECENTS encryption key, erases the input file with the data security pattern, and deletes the file.

$ DECRYPT /DELETE /ERASE SAVEDMAIL.MAI TWENTYFIVECENTS

With the following command, the SAVEDMAIL.MAI file is decrypted using the TWENTYFIVECENTS encryption key, but the input file is not erased with the data security pattern before being deleted.

With the following command, the SAVEDMAIL.MAI file is decrypted using the TWENTYFIVECENTS encryption key, but the input file is not erased with the data security pattern before being deleted.

$ DECRYPT /DELETE /NOERASE SAVEDMAIL.MAI TWENTYFIVECENTS

Algorithm Qualifiers

The algorithm qualifier you use to encrypt determines the correct decryption procedure:

  • If you use the /DATA_ALGORITHM qualifier to encrypt, do not specify this algorithm when you decrypt.

  • If you use the /KEY_ALGORITHM qualifier to encrypt, specify this algorithm when you decrypt.

The /KEY_ALGORITHM qualifier has the format:

/KEY_ALGORITHM=(algorithm)

where

algorithm is one of the following values:

  • DESCBC (the default)

  • DESECB

  • DESCFB

For example, if SAVEDMAIL.MAI is encrypted with /KEY_ALGORITHM=DESCFB, decrypt the file with the same /KEY_ALGORITHM=DESCFB qualifier, as follows:

$ ENCRYPT /KEY_ALGORITHM=DESCFB SAVEDMAIL.MAI TWENTYFIVECENTS
$ DECRYPT /KEY_ALGORITHM=DESCFB SAVEDMAIL.MAI TWENTYFIVECENTS