[an error occurred while processing this directive]

HP OpenVMS Systems Documentation

Content starts here

HP OpenVMS DCL Dictionary


Previous Contents Index


DECRYPT

Decrypts files previously encrypted with the ENCRYPT command. DES is the default algorithm unless otherwise specified with the /KEY_ALGORITHM qualifier. The key specified must match the algorithm (DES or AES), and the same key is used to decrypt as was used to encrypt; a symmetric key algorithm.

Format

DECRYPT input-file key-name [qualifiers]


Parameters

input-file

File names of the files to decrypt. If you use wildcard characters, do not include directory files or files with bad blocks.

key-name

Key name that was previously stored in the key storage table by the ENCRYPT /CREATE_KEY command.

Qualifiers

/BACKUP[=time]

Selects files according to the dates of their most recent backup.

This qualifier is relevant only when used with the /BEFORE or the /SINCE qualifier. In addition, do not use /BACKUP with /EXPIRED or /MODIFIED.

If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual.

/BEFORE[=time]

Selects files that have a creation time before the time you specify.

If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual.

/BY_OWNER[=uic]

/NOBY_OWNER

Selects files with the owner UIC you specify.

If you omit uic, the UIC of the current process is used. For more information on specifying UIC format, see the OpenVMS User's Manual.

/CONFIRM

/NOCONFIRM

Controls whether or not a confirmation request is displayed before each decryption, as follows:
Response Meaning
YES Decrypts the file
NO or [Return] Does not decrypt the file (default)
QUIT or [Ctrl/Z] Does not decrypt the file or any subsequent files
ALL Decrypts the file plus all subsequent files

/DELETE

/NODELETE

Default: /NODELETE.

Controls whether or not the input files are deleted after the decryption operation is complete and the output file is written and closed.

/ERASE

/NOERASE

Controls whether or not the input files are erased with the data security pattern before being deleted. By default, the location in which the data was stored is not overwritten with the data security pattern. The /ERASE qualifier must be used with /DELETE.

/EXCLUDE=file-spec

/NOEXCLUDE

Excludes the specified files from the decryption operation. You can use wildcard characters. You do not need to enter an entire file specification. Any field that you omit defaults to the input file specification.

Because directory files are never encrypted, you need not specify them.

/EXPIRED[=time]

Selects files according to the dates on which they expire.

This qualifier is relevant only when used with the /BEFORE or the /SINCE qualifier. In addition, do not use /EXPIRED with /BACKUP or /MODIFIED.

If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual.

/KEY_ALGORITHM= {DESCBC (default) | AESmmmkkk}

Where mmm is the mode CBC, ECB, CFB, or OFB; and kkk is 128, 192, or 256 bits. Cipher Block Chaining (CBC) and Electronic Code Book (ECB) are 16-byte block modes, meaning blocks are padded to 16 bytes if necessary during encryption. The padding is removed during decryption. Cipher Feedback (CFB) and Output Feedback (OFB) are 8-bit character stream mode emulation, useful in data communications and where no padding is required. Note that /KEY_ALGORITHM=AES is a shortcut for specifying AESCBC128.

The algorithm by which the random key and the initialization vector are protected within the encrypted file. Specify the same algorithm (AES or DES) that you used to encrypt the file and create the key, if not, the default is DESCBC.

/MODIFIED[=time]

Selects files according to the dates on which they were last modified.

This qualifier is relevant only when used with the /BEFORE or the /SINCE qualifier. In addition, do not use /MODIFIED with /BACKUP or /EXPIRED.

If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual.

/OUTPUT=file-spec

Alternate output file name for the decryption operation.

By default, each input file decrypted is written to a separate output file that is one version higher than that of the input file. When using the /OUTPUT qualifier, specify the parts of the file specification different from the defaults. You do not need to provide an entire file specification. Any field that you omit defaults to the input file specification.

/SHOW=(keyword-list)

Controls whether or not the following information about the decryption operation is displayed on SYS$COMMAND:
Keyword Meaning
FILES Displays input and output file names on SYS$COMMAND
STATISTICS Displays the encryption stream statistics:
  • Bytes processed
  • Internal records processed
  • CPU time consumed within the encryption algorithm

/SINCE[=time]

Selects files that have a creation date before the time you specify.

If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual.

/STATISTICS

Similar to /SHOW, except that /STATISTICS lists both files and statistics, whereas /SHOW can be customized to list only one or the other.

Examples

#1

$ DECRYPT BOSTON MYKEY
      

Decrypts the file name BOSTON using the DES key, MYKEY, and the DESCBC algorithm.

#2

$ DECRYPT CHIGAGO.ENC KEY2 /KEY=AESECB256 /OUT=CHICAGO.DEC
      

Decrypts the file named CHICAGO.ENC using the AES key, KEY2, and the AESECB256 algorithm, renaming the decrypted output file to CHICAGO.DEC, the original plaintext file.


Previous Next Contents Index