When the installation is finished, before you run the Encryption for OpenVMS software, follow these post-installation steps:

1. Edit the system startup procedure, SYS$STARTUP:SYSTARTUP_VMS.COM.
   • Add the following line:
     $ @SYS$SYSROOT:[SYS$STARTUP]ENCRYPT_START.COM
     As part of installation, PCSI runs the Encryption startup procedure. However, ENCRYPT_START.COM also needs to be run upon each reboot. Adding this instruction to your system startup procedure ensures that ENCRYPT_START.COM runs whenever your system reboots.
   • If you plan to use the Encryption programming interface from an image installed with privileges, add this line:
     $ INSTALL ADD SYS$LIBRARY:ENCRYPSHR.EXE /OPEN /HEADER /SHARED
     The programming interface resides in the ENCRYPSHR shareable image. The INSTALL ADD command installs the ENCRYPSHR shareable image as a known image.
2. Log out and then log in again.

After installation, you can access the Encryption for OpenVMS Release Notes, even if you dismounted the distribution medium, or if you deleted a copy of the Release Notes from the Encryption directory. Use the PRODUCT EXTRACT RELEASE_NOTES command to copy the document from the installed kit to a file.

The default file name is DEFAULT.PCSI$RELEASE_NOTES, in your current directory. To specify a different name for the file, use the /FILE qualifier. Follow these steps:

1. Ensure that one of the following is true:
   • The logical name PCSI$SOURCE is defined to point to the directory containing the .PCSI files.
   • The directory containing the .PCSI files is your default directory.
2. Enter the PRODUCT EXTRACT RELEASE_NOTES command. For example:

   $ PRODUCT EXTRACT RELEASE_NOTES CPQ-VMS-ENCRYPT-V0106.RELEASE_NOTES - _$ /FILE=[ENCRYPT0106]RELEASE_NOTES.TXT

To de-install Encryption files, use the PRODUCT REMOVE command:

$ PRODUCT REMOVE ENCRYPT The following product has been selected: CPQ AXPVMS ENCRYPT V1.6 Layered Product Do you want to continue? [YES] [Return] The following product will be removed from destination: CPQ AXPVMS ENCRYPT V1.6 DISK$COE_X92N:[VMS$COMMON.] Portion done: 0%...20%...30%...40%...50%...60%...70%...80%...90%...100% The following product has been removed: CPQ AXPVMS ENCRYPT V1.6 Layered Product

Interactively using the features of the Encryption for OpenVMS product consists of the following tasks:

• Defining keys ( Section 3.1)
• Encrypting files ( Section 3.2)
• Authenticating files ( Section 3.3)
• Deleting key definitions ( Section 3.4)
• Decrypting files ( Section 3.5)
• Encrypting save sets ( Section 3.6)

Use DCL commands to accomplish these tasks. For information about adding encryption and decryption processes to your software applications, see Chapter 4.

3.1 Defining Keys

To define a key, enter the ENCRYPT /CREATE_KEY command:

ENCRYPT /CREATE key-name key-value [ qualifiers ]

where

key-name	is the name of the key.
key-value	is the value you assign to the key.
qualifiers	are options that control the format of the key value or where the key is stored.

3.1.1 Specifying the Key Name

To specify key-name on the ENCRYPT /CREATE_KEY command line, specify a character string using the following rules:

• Valid length: 1 to 243 characters.
• Valid: alphanumeric characters, dollar signs, and underscores.
• Case sensitive: no.

To help you remember the name, use one that has meaning to you.

To specify a key-value on the ENCRYPT /CREATE_KEY command line, use either a text string or a hexadecimal constant, using the following rules:

ASCII text string (default):

• Length: 8 to 240 characters.
• The string is not case sensitive.
• If you use any non-alphanumeric characters, for example, space characters, enclose them in quotation marks ( " " ).

Example: This command defines a key named HAMLET with character string value And you yourself shall keep the key of it :

$ ENCRYPT /CREATE_KEY HAMLET _ Key value: "And you yourself shall keep the key of it"

Hexadecimal constant

• Use the /HEXADECIMAL qualifier.
• Valid characters: 0 to 9, A to F.
• Valid minimum length: 15 characters.
• Do not enclose the value in quotation marks.

Example: The following command defines a key named ARCANE with hexadecimal value 2F4A98F46BBC11D:

$ ENCRYPT /CREATE_KEY /HEX ARCANE 2F4A98F46BBC11D

In addition, when you specify key-value, do not use weak keys. These are key values with a pattern of repeated characters or groups of characters. Using a pattern results in an encrypted form that might be easy for unauthorized users to decrypt. For example, the hexadecimal constant 0101010101010101 and the text string 'abcabcabc' are weak keys.

Using weak keys might produce the following consequences:

• Security of encrypted data may be at risk.
• Encryption may be the same as decryption.
• Encryption with one weak key followed by encryption with another weak key may result in the original plaintext.

Compaq supplies a table of known weak keys with the Encryption software. The software checks keys you define against this table and displays an error message when you supply a weak key.

3.1.3 Verifying Key Creation

To verify the successful creation of a key, use the /LOG qualifier. For example, this command reports that the key HAMLET is defined:

$ ENCRYPT /CREATE_KEY /LOG HAMLET _ Key value: "And you yourself shall keep the key of it" %ENCRYPT-S-KEYDEF, key defined for key name = HAMLET

3.1.4 Specifying Key Storage Tables

When you define a key, it is stored in encrypted form in a key storage table. The key value is stored under the key name. When you encrypt files, the process takes this stored information and does the following:

• It compresses the key value taken from the key storage table into a key consisting of 8 bytes of binary digits.
• It ensures the odd parity of each byte by modifying one of two things for each byte:
  • Sign bit, as needed (default)
  • Low bit (bit 0) (if you specify the /HEXADECIMAL qualifier)
• For text string key values, it converts letters to uppercase, reduces multiple consecutive spaces to one space, removes some punctuation characters, and compresses the key string.
  As a result, you do not need to remember the exact syntax of the key value. For example, if you define a key value with two spaces between each word, remembering this spacing is not required to respecify the key.

Key storage tables determine which users can access keys. The following key storage tables control user access:

• Process key storage table (default) --- accessible only to the process that defined the keys within the table.
  If you are defining a key that is intended for use by other processes, specify the appropriate qualifier (/JOB, /GROUP, or /SYSTEM) so that the intended users of the key can access it.
• Job key storage table --- accessible only to processes within the same job tree as the process that defined the keys within the table.
• Group key storage table --- accessible to users in the same UIC group as the process that defined the keys in the table.
• System storage table --- accessible to all system users.

To enter keys into the key storage tables, use the following ENCRYPT /CREATE_KEY qualifiers:

• /PROCESS
• /JOB
• /GROUP (requires GRPNAM or SYSPRV privilege)
• /SYSTEM (requires SYSPRV privilege)
  Defines a key that anyone working on the system can use to encrypt his or her files. Because the key is stored in encrypted form, they cannot see the value of the key. The key is available for use until the system is rebooted.
  For example, the following command defines a key named SYSMASTER and places it in the system key storage table.

  $ ENCRYPT /CREATE_KEY /SYSTEM SYSMASTER _$ Key Value: "The human heart has hidden treasures, in secret kept, in silence sealed"

When you encrypt a file, the key you use is like a password to that file. It is important to keep it secret. In addition, ensure that you remember the key value. You need both the key and the value to decrypt the file.

A key stored in the process key storage table lasts for the life span of the process that defined the keys in the table. Like other process-specific structures, the process key storage table disappears when you log out.

Key values that are meaningful to you are the most memorable, but avoid easily guessed choices such as your nickname or the make of your car. Never post a key name or value in your office or store it online. Like operating system passwords, increasing the length of a key value lessens the possibility of discovery.

The DES algorithm requires that a key value have a minimum length of eight non-null characters. To improve the security of the key value, specify more than eight.

3.2 Encrypting Files

After you define a key with the ENCRYPT /CREATE_KEY command, use this key to encrypt files. Enter the ENCRYPT command. In addition to the key, specify a plaintext file. The syntax of the ENCRYPT command is as follows:

ENCRYPT file-spec key-name [ qualifiers ]

where

file-spec	is the plaintext input file specification.
key-name	is the name of the key.
qualifiers	are options that control the encryption process or the selection of files you want to encrypt

3.2.1 Input File Specification

For the plaintext file specified on the ENCRYPT command line, use a file that resides on disk and that is not a directory file.

To specify multiple input files, use wildcard characters in the file specification. To control file selection, specify the appropriate ENCRYPT command qualifiers (see Section 3.2.4). Do not use wildcard characters to specify directory files or files containing bad blocks.

3.2.2 Output File Specification

The result of the encryption operation is a ciphertext file. One ciphertext file is created for each input file that is encrypted.

By default, the ENCRYPT command writes each ciphertext file to a separate output file with the same name except that it has a version number one higher than that of the current input file.

To specify an alternate output file specification, use the /OUTPUT qualifier. Specify only the file specification parts that you want to change from the defaults. For example, the following command encrypts all the files in the current directory that match the wildcard file specification *.COM. The /OUTPUT qualifier specifies that any output files created have a file type of .ENC. FRANCISSCOTT is the key used to encrypt the files.

$ ENCRYPT *.COM /OUTPUT=.ENC FRANCISSCOTT

Do not specify a file that already exists. For example, you cannot name the output file NEWS.DAT;2 if NEWS.DAT;2 already exists. However, specifying NEWS.DAT as both the input and output files is valid.

3.2.3 Displaying Processing Information

By default, information about the encryption operation is not displayed. To display information about file encryption operations on SYS$COMMAND, use the /SHOW qualifier. The /SHOW qualifier has the format:

/SHOW=keyword

or

/SHOW=(keyword-list)

Specify one or more of the following keywords:

• FILES ( Section 3.2.3.1)
• STATISTICS ( Section 3.2.3.2)

The FILES keyword displays the file specifications of the input and output files. For example, /SHOW=FILES in the following command specifies that each input and output file specification be displayed as it is encrypted.

$ ENCRYPT /SHOW=FILES *.COM FRANCISSCOTT %ENCRYPT-S-ENCRYPTED, DISK2:[FLYNN]MOVE.COM.2 encrypted to DISK2:[FLYNN]MOVE.COM;3 (8 blocks) . . .

3.2.3.2 STATISTICS Keyword

Use the STATISTICS keyword to display encryption stream statistics after the completion of each file operation. The statistics displayed are:

• Bytes processed
• Internal records processed
• CPU time consumed within the encryption algorithm

The following command specifies that encryption stream statistics be displayed on SYS$COMMAND.

$ ENCRYPT /SHOW=STATISTICS *.COM FRANCISSCOTT %ENCRYPT-S-STATISTICS, encryption stream statistics: Total Records: 65 Total Bytes: 4083 Total Time: 00:00:01.63 . . .

3.2.4 Specifying Files to Encrypt

To specify multiple input files, use the ENCRYPT command with wildcard characters in the input file specification.

The following ENCRYPT command qualifiers can help you select files:

• /BACKUP ( Section 3.2.4.1)
• /BEFORE ( Section 3.2.4.2)
• /BY_OWNER ( Section 3.2.4.3)
• /CONFIRM ( Section 3.2.4.4)
• /EXCLUDE ( Section 3.2.4.5)
• /EXPIRED ( Section 3.2.4.6)
• /MODIFIED ( Section 3.2.4.7)
• /SINCE ( Section 3.2.4.8)

The /BACKUP qualifier selects files for encryption according to the date of their most recent backup. This qualifier is meaningful only when used with either the /BEFORE or the /SINCE qualifier. The /BACKUP qualifier has the format:

/BACKUP /BEFORE[=time]

or

/BACKUP /SINCE[=time]

where

time is an OpenVMS time.

For more information on time specifications, see the OpenVMS DCL Dictionary. If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.

The following command selects for encryption all files in the current directory matching the wildcard file specification of *.COM that had backup copies made before 00:00:00 15-APR-2001.

$ ENCRYPT /BACKUP /BEFORE=15-APR-2001 *.COM FRANCISSCOTT

Do not use the /BACKUP qualifier with either the /EXPIRED or the /MODIFIED qualifier.

3.2.4.2 /BEFORE Qualifier

The /BEFORE qualifier selects files for encryption that have a creation time before the time specified with the qualifier. The /BEFORE qualifier has the format:

/BEFORE[=time]

where

time is an OpenVMS time.

For more information on time specifications, see the OpenVMS DCL Dictionary. If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.

The following command selects for encryption all files in the current directory matching the wildcard file specification of *.COM that were created before 00:00:00 15-APR-2001.

$ ENCRYPT /BEFORE=15-APR-2001 *.COM FRANCISSCOTT

3.2.4.3 /BY_OWNER Qualifier

The /BY_OWNER qualifier allows you to select files for encryption that have a particular owner User Identification Code (UIC). If no UIC is specified with the qualifier, the UIC of the current process is used. The /BY_OWNER qualifier has the format:

/BY_OWNER=uic

where uic is the UIC of the owner of the file.

For more information on specifying UIC format, see the OpenVMS DCL Dictionary.

The following command selects for encryption all files in the current directory owned by the user whose UIC is [FLYNN] that match the wildcard file specification of *.COM.

$ ENCRYPT /BY_OWNER=[FLYNN] *.COM FRANCISSCOTT

3.2.4.4 /CONFIRM Qualifier

By default, all input files specified on the command line are processed without confirming that those files are selected for encryption. Use the /CONFIRM qualifier if you want a prompt with the name of each file selected for encryption. Your response determines whether or not a particular file is encrypted, as follows:

Response	Meaning
YES	Encrypt the file.
NO or [Return]	Do not encrypt the file. This is the default.
QUIT or [Ctrl/Z]	Do not encrypt the file or any subsequent files.
ALL	Encrypt the file and all subsequent files.

The following command selects for encryption all files in the current directory matching the wildcard file specification of *.COM. Because the /CONFIRM qualifier is specified, the user is prompted on a file-by-file basis to confirm that each file is to be encrypted. Because the prompt is answered in the affirmative for the file MOVE.COM;3, the output file MOVE.COM;4 is created.

$ ENCRYPT /CONFIRM *.COM FRANCISSCOTT Encrypt DISK2:[FLYNN]MOVE.COM;3 ? [N] YES

3.2.4.5 /EXCLUDE Qualifier

Use the /EXCLUDE qualifier to exclude one or more files from an encryption operation. If a file matches the file specification provided with the /EXCLUDE qualifier, the file will not be encrypted. The /EXCLUDE qualifier has the format:

/EXCLUDE=(file-spec[,...])

where

file-spec is the name of the file to remain unencrypted.

Wildcard characters are allowed in the file specification. There is no default for the file specification. Because directory files are never encrypted, you need not specify them with the /EXCLUDE qualifier. However, if you do specify /EXCLUDE=*.DIR , you will not get the warning message %ENCRYPT-W-FILNODIR, file encryption of directories is not supported, filename.dir .

The following command selects for encryption all files in the current directory that match the wildcard file specification of *.COM, except LOGIN.COM, which is specified with /EXCLUDE.

$ ENCRYPT /EXCLUDE=LOGIN.COM *.COM FRANCISSCOTT

3.2.4.6 /EXPIRED Qualifier

The /EXPIRED qualifier selects files for encryption according to the dates on which they expire. (The expiration date is set with the SET FILE /EXPIRATION_DATE command.) This qualifier is meaningful only when used with either the /BEFORE or the /SINCE qualifier. The /EXPIRED qualifier has the format:

/EXPIRED /BEFORE[=time]

or

/EXPIRED /SINCE[=time]

where time is an OpenVMS time.

For more information on time specifications, see the OpenVMS DCL Dictionary. If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.

The following command selects for encryption all files in the current directory matching the wildcard file specification of *.COM that expire after 00:00:00 15-APR-2001.

$ ENCRYPT /EXPIRED /SINCE=15-APR-2001 *.COM FRANCISSCOTT

Do not use the /EXPIRED qualifier with either the /BACKUP or the /MODIFIED qualifier.

3.2.4.7 /MODIFIED Qualifier

The /MODIFIED qualifier selects files for encryption according to the dates on which they were last modified. This qualifier is meaningful only when used with either the /BEFORE or the /SINCE qualifier. The /MODIFIED qualifier has the format:

/MODIFIED /BEFORE[=time]

or

/MODIFIED /SINCE[=time]

where

time is an OpenVMS time.

For more information on time specifications, see the OpenVMS DCL Dictionary. If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.

The following command selects for encryption all files in the current directory matching the wildcard file specification of *.COM that were modified after 00:00:00 15-APR-2001.

$ ENCRYPT /MODIFIED /SINCE=15-APR-2001 *.COM FRANCISSCOTT

Do not use the /MODIFIED qualifier with either the /BACKUP or the /EXPIRED qualifier.

3.2.4.8 /SINCE Qualifier

The /SINCE qualifier selects for encryption files that have a creation date after the time specified with the qualifier. The /SINCE qualifier has the format:

/SINCE[=time]

where

time is an OpenVMS time.

For more information on time specifications, see the OpenVMS DCL Dictionary. If you do not specify a time, TODAY is used. TODAY is the current day, month, and year at 00:00:00.

The following command selects for encryption all files in the current directory matching the wildcard file specification of *.COM that were created after 00:00:00 15-APR-2001.

$ ENCRYPT /SINCE=15-APR-2001 *.COM FRANCISSCOTT