To encrypt or decrypt any file, a key has
to be created first.
To define a key, enter the ENCRYPT/CREATE_KEY command:
ENCRYPT /CREATE key-name key-value [ qualifiers ]
|key-name||is the name of the key.|
|key-value||is the value you assign to the
|qualifiers||are options that control the
format of the key value or where the key is stored.|
For AES keys, the /AES qualifier must be
$ ENCRYPT /CREATE_KEY keyname
"This is my secret key" /AES
This generates an AES key with a key length
of 21 characters. You can specify a key of any length as long as it
meets the key-length minimum requirement and does not exceed Encrypt’s
maximum number of characters (approximately 240). For more information
on the /AES qualifier, see the HP OpenVMS DCL Dictionary.
In order to specify the key algorithm,
use the /KEY_ALGORITHM qualifier. The default key algorithm is DESCBC
for DES keys and AESCBC128 when the /AES qualifier is used. For more
information, see “/KEY_ALGORITHM Qualifier”.
Specifying the Key Value
To specify key-value on the ENCRYPT /CREATE_KEY
command line, use either a text string or a hexadecimal constant,
using the following rules:
ASCII text string (default):
Length: 8 to 240 characters.
The string is not case sensitive.
If you use any non-alphanumeric characters, for example,
space characters, enclose them in quotation marks.
Example: This command defines a key named HAMLET with character
string value (And you yourself shall keep the key
$ ENCRYPT /CREATE_KEY HAMLET
_ Key value: "And you yourself shall keep the key of it"
Use the /HEXADECIMAL qualifier.
Valid characters: 0 to 9, A to F.
Valid minimum length: 15 characters.
Do not enclose the
value in quotation marks.
Example: The following command defines a key named ARCANE with
hexadecimal value 2F4A98F46BBC11D:
$ ENCRYPT /CREATE_KEY /HEX ARCANE 2F4A98F46BBC11D
In addition, when you specify key-value, do not use weak keys. These are
key values with a pattern of repeated characters or groups of characters.
Using a pattern results in an encrypted form that might be easy for
unauthorized users to decrypt. For example, the hexadecimal constant
0101010101010101 and the text string 'abcabcabc' are weak
Using weak keys might produce the following consequences:
Security of encrypted data may be at risk.
Encryption may be the same as decryption.
Encryption with one weak key followed by encryption
with another weak key may result in the original plaintext.
HP supplies a table of known weak keys. The software checks
keys you define against this table and displays an error message
when you supply a weak key.
Verifying Key Creation
To verify the successful creation of a key, use the /LOG qualifier.
For example, this command reports that the key HAMLET is defined:
$ ENCRYPT /CREATE_KEY /LOG HAMLET
_ Key value: "And you yourself shall keep the key of it"
%ENCRYPT-S-KEYDEF, key defined for key name = HAMLET
The following example verifies an AES key:
$ ENCRYPT/CREATE MY_KEY "This is a sample ASCII key value" /AES/LOG
%ENCRYPT-S-KEYDEF, key defined for key name = MY_KEY
The key is flagged as an AES key to distinguish it from a DES key.
Specifying Key Storage Tables
When you define a key, it is stored in encrypted form in a key
storage table. The key value is stored under the key name. When you
encrypt files, the process takes this stored information and does
It compresses the key value taken from the key storage
table into a key consisting of 8 bytes of binary digits.
It ensures the odd parity of each byte by modifying
one of two things for each byte:
Sign bit, as needed (default)
Low bit (bit 0) (if you specify the /HEXADECIMAL qualifier)
For text string key values, it converts letters to
uppercase, reduces multiple consecutive spaces to one space, removes
some punctuation characters, and compresses the key string.
As a result, you do not have to remember the exact syntax of
the key value. For example, if you define a key value with two spaces
between each word, you do not have to remember this spacing to specify
the key again.
Key storage tables determine which users can access keys. The
following key storage tables control user access:
Process key storage table (default) --- accessible
only to the process that defined the keys within the table.
If you are defining a key that is intended for use by other processes,
specify the appropriate qualifier (/JOB, /GROUP, or /SYSTEM) so that
the intended users of the key can access it.
Job key storage table — accessible only to
processes within the same job tree as the process that defined the
keys within the table.
Group key storage table — accessible to users
in the same UIC group as the process that defined the keys in the
System storage table — accessible to all system
To enter keys into the key storage tables, use the following
ENCRYPT /CREATE_KEY qualifiers:
/GROUP (requires GRPNAM or
/SYSTEM (requires SYSPRV privilege)
a key that anyone working on the system can use to encrypt his or
her files. Because the key is stored in encrypted form, they cannot
see the value of the key. The key is available for use until the
system is rebooted.
For example, the following command defines a key named SYSMASTER
and places it in the system key storage table.
$ ENCRYPT /CREATE_KEY /SYSTEM SYSMASTER
_$ Key Value: "The human heart has hidden treasures, in secret kept,
in silence sealed"
When you encrypt a file, the key you use is like a password
to that file. It is important to keep it secret. In addition, ensure
that you remember the key value. You need both the key and the value
to decrypt the file.
A key stored in the process key storage table lasts for the
life span of the process that defined the keys in the table. Like
other process-specific structures, the process key storage table
disappears when you log out.
Key values that are meaningful to you are the most memorable,
but avoid easily guessed choices such as your nickname or the make
of your car. Never post a key name or value in your office or store
it online. Like operating system passwords, increasing the length
of a key value lessens the possibility of discovery.
The DES algorithm requires that a key
value has a minimum length of eight non-null characters. To improve
the security of the key value, specify more than eight characters.
For the AES algorithm, the minimum required
key sizes are as follows:
128-bit mode = 16-byte key
192-bit mode = 24-byte key
256-bit mode = 32-byte key