HP OpenVMS Systems Documentation

HP OpenVMS DCL Dictionary

Associates a DES algorithm Message Authenticate Code (MAC) value with one or more files and checks for any modification of either plain text or cipher text files. Use the additional /UPDATE qualifier to store each file's MAC in the databases. Use only the /AUTHENTICATE qualifier to subsequently test the integrity of the file's data and security attributes. You must create a DES key prior to updating or checking an existing MAC. The AES algorithm is not supported for file MAC operations.

Format

ENCRYPT /AUTHENTICATE file-spec key-name [qualifiers]

Parameters

file-spec

File names of the files to authenticate. Behavior can be modified with the /MULTIPLE_FILES qualifier.

key-name

Key name previously stored in the key storage table with the ENCRYPT /CREATE_KEY command.

Qualifiers

/BACKUP[=time]

Selects files according to the dates of their most recent backup.

This qualifier is relevant only when used with the /BEFORE or the /SINCE qualifier. In addition, do not use /BACKUP with /EXPIRED or /MODIFIED.

If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual.

/BEFORE=time

Selects files that have a creation time before the time you specify.

If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual.

/BY_OWNER[=uic]

/NOBY_OWNER

Selects files with the owner UIC you specify.

If you omit uic, the UIC of the current process is used. For more information on specifying UIC format, see the OpenVMS User's Manual.

/CONFIRM

/NOCONFIRM

Controls whether or not a confirmation request is displayed before each authentication, as follows:

Response	Meaning
YES	Authenticates the file
NO or [Return]	Does not authenticate the file (default)
QUIT or [Ctrl/Z]	Does not authenticate the file or any subsequent files
ALL	Encrypts the file plus all subsequent files

/DATABASE=file-spec

/NODATABASE

File name of the file in which to store binary MAC values.

Generates a MAC using the file contents. If you do not specify a file name, the file name SYS$LOGIN:ENCRYPT$MAC.DAT is used.

/EXCLUDE=file-spec

/NOEXCLUDE

Excludes the specified files from the authentication operation. You can use wildcard characters. You do not need to enter an entire file specification. Any field that you omit defaults to the input file specification.

Because directory files are never encrypted, you need not specify them.

/EXPIRED[=time]

Selects files according to the dates on which they expire.

This qualifier is relevant only when used with the /BEFORE or the /SINCE qualifier. In addition, do not use /EXPIRED with /BACKUP or /MODIFIED.

If you omit a time value, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual.

/LOG

Displays the results of the authentication operation.

/MODIFIED[=time]

Selects files according to the dates on which they were last modified.

This qualifier is relevant only when used with the /BEFORE or the /SINCE qualifier. In addition, do not use /MODIFIED with /BACKUP or /EXPIRED.

If you omit a time value, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual.

/MULTIPLE_FILES

Indicates that the file-spec parameter contains a list of file names to be checked. The file-spec file is opened and each record is read and treated as a file-spec.

/OUTPUT=file-spec

/NOOUTPUT

File name of the file in which to store readable MAC values. These MAC values represent both the file contents as well as the security settings. If you do not specify a file name, the default file name SYS$LOGIN:ENCRYPT$MAC.LIS is used.

/SECURITY=file-spec

/NOSECURITY

File name of the file in which to store binary MAC values. If you do not specify a file name, the default file name ENCRYPT$SEC.DAT is used.

Generates a MAC using the file's security settings: owner, protection settings, and optional ACL.

/SINCE[=time]

Selects files that have a creation time before the time you specify.

If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual.

/UPDATE

/NOUPDATE

Associates new MAC values with one or more files.

Example

$ ENCRYPT /AUTHENTICATE NEWFILE HAMLET/CONFIRM
      

Associates a MAC with the file NEWFILE using the key HAMLET. This command also displays a confirmation request before each authentication.

$ ENCRYPT/AUTHENTICATE/UPDATE *.* MYKEY
%ENCRYPT-NEWDB, new authentication code database has been created
%ENCRYPT-NEWSECDB, new authentication security settings database has been created
%ENCRYPT-I-SUMMARY1, Summary:  Files successfully authenticated: 0
%ENCRYPT-I-SUMMARY2,     Files failing authentication: 0
%ENCRYPT-I-SUMMARY3,     Files not in database: 73
%ENCRYPT-I-SECSUMM1, Summary:  Security settings authenticated: 0
%ENCRYPT-I-SECSUMM2,     Security settings failing authentication: 0
%ENCRYPT-I-SECSUMM3,     Security settings not in database: 73
      

This example reates a MAC for each file in the current directory using the key named MYKEY, storing them in the two databases: SYS$LOGIN:ENCRYPT$MAC.DAT and ENCRYPT$SEC_MAC.DAT.

$ ENCRYPT /AUTHENTICATE *.* MYKEY
%ENCRYPT-I-NOUPDATE, database will not be updated with new authentication codes
%ENCRYPT-I-SUMMARY1, Summary:   Files successfully authenticated: 73
%ENCRYPT-I-SUMMARY2,     Files failing authentication: 0
%ENCRYPT-I-SUMMARY3,     Files not in database: 0
%ENCRYPT-I-SECSUMM1, Summary:   Security settings authenticated: 73
%ENCRYPT-I-SECSUMM2,     Secruity settings failing authentication: 0
%ENCRYPT-I-SECSUMM3,     Security settings not in database: 0
      

This example authenticates the same files as in Example 3 by creating a new MAC and comparing that with those in each database, testing file data integrity and security attributes as indicated in the summary.