The OpenVMS operating system provides several data protection
schemes. For example, by using UIC-based protection you can protect
data by controlling access to files. You can use ACLs to refine access
control to specific groups or individual users. For a protection scheme
with yet greater security for your data, you can encrypt the files.
Encrypting a file transforms it into unrecognizable, unintelligible
data, even if someone manages to gain access to it.
The process of encryption takes readable data, called plaintext, and uses a mathematical algorithm to transform
the plaintext into an unreadable, unintelligible form, called ciphertext.
To encrypt the plaintext data, the encryption operation requires
a key. The key is a variable that controls the encryption operation.
The same plaintext, encrypted with different keys, results in different
ciphertext. In addition, repeated encryption of the same plaintext
with the same key also results in different ciphertext each time.
OpenVMS Version 8.3 integrates the former
Encryption for OpenVMS software product into the operating system.
This eliminates the need for a separate product installation and product
license. In addition, OpenVMS Version 8.3 and later supports the Advanced
Encryption Standard (AES) algorithm.
The AES algorithm allows OpenVMS users, system managers, security
managers, or programmers to secure their files, save sets, or application
data with AES encryption. DES and AES are similar encryption algorithms.
They are both block cipher algorithms. However, encryption using AES
algorithms is found to be more secure than DES encryption due to the
number of rounds the plain text undergoes during its transformation
to ciphered text. The number of rounds depend on the key size. For
example, a key size of 128 bits invokes 10 rounds of transformation.
Similarly, key sizes of 192 bits and 256 bits invoke 12 and 14 rounds,
respectively. For more information on AES encryption algorithm, see “Using Encryption”
The algorithm used by OpenVMS is a software implementation of
the Data Encryption Standard (DES) defined by the National Bureau
of Standards (NBS). The NBS document FIPS-PUB-46 describes the operation
of the DES algorithm in detail.
Because the DES algorithm is public knowledge, the security
of your ciphertext files depends on the keys you define.
OpenVMS encryption uses two keys:
Key that the software randomly generates, called the
The key you provide encrypts the data key, which is stored in
the first block of the ciphertext file. The process uses the encrypted
data key to encrypt the file. You have the option to encrypt either
the data key or the file.
Table 1-2 shows the
components of the encryption process.
Table 1-2 Components of the Encryption Operation
|User-supplied data key||Key encryption||Encrypted key|
|Data (plaintext) and the encrypted data key ||Data encryption||Encrypted file|
Figure 1-1 illustrates
the data encryption operation. In this example, the input file contains
the text "secret" and the key has been defined as "elmno jflghi."
The output file is unreadable text.
Figure 1-1 Encrypting a File