HP OpenVMS Guide to System Security: OpenVMS Version 8.4 > Chapter 9 Using Encryption
To encrypt or decrypt any file, a key has to be created first.
To define a key, enter the ENCRYPT/CREATE_KEY command:
ENCRYPT /CREATE key-name key-value [ qualifiers ]
For AES keys, the /AES qualifier must be added:
$ ENCRYPT /CREATE_KEY keyname "This is my secret key" /AES
This generates an AES key with a key length of 21 characters. You can specify a key of any length as long as it meets the key-length minimum requirement and does not exceed Encrypt’s maximum number of characters (approximately 240). For more information on the /AES qualifier, see the HP OpenVMS DCL Dictionary.
In order to specify the key algorithm, use the /KEY_ALGORITHM qualifier. The default key algorithm is DESCBC for DES keys and AESCBC128 when the /AES qualifier is used. For more information, see “/KEY_ALGORITHM Qualifier”.
To specify key-name on the ENCRYPT /CREATE_KEY command line, specify a character string using the following rules:
To help you remember the name, use one that has meaning to you.
To specify key-value on the ENCRYPT /CREATE_KEY command line, use either a text string or a hexadecimal constant, using the following rules:
ASCII text string (default):
Example: This command defines a key named HAMLET with character string value (And you yourself shall keep the key of it):
Example: The following command defines a key named ARCANE with hexadecimal value 2F4A98F46BBC11D:
In addition, when you specify key-value, do not use weak keys. These are key values with a pattern of repeated characters or groups of characters. Using a pattern results in an encrypted form that might be easy for unauthorized users to decrypt. For example, the hexadecimal constant 0101010101010101 and the text string 'abcabcabc' are weak keys.
Using weak keys might produce the following consequences:
Encryption with one weak key followed by encryption with another weak key may result in the original plaintext.
HP supplies a table of known weak keys. The software checks keys you define against this table and displays an error message when you supply a weak key.
To verify the successful creation of a key, use the /LOG qualifier. For example, this command reports that the key HAMLET is defined:
The following example verifies an AES key:
The key is flagged as an AES key to distinguish it from a DES key.
When you define a key, it is stored in encrypted form in a key storage table. The key value is stored under the key name. When you encrypt files, the process takes this stored information and does the following:
Key storage tables determine which users can access keys. The following key storage tables control user access:
To enter keys into the key storage tables, use the following ENCRYPT /CREATE_KEY qualifiers:
When you encrypt a file, the key you use is like a password to that file. It is important to keep it secret. In addition, ensure that you remember the key value. You need both the key and the value to decrypt the file.
A key stored in the process key storage table lasts for the life span of the process that defined the keys in the table. Like other process-specific structures, the process key storage table disappears when you log out.
Key values that are meaningful to you are the most memorable, but avoid easily guessed choices such as your nickname or the make of your car. Never post a key name or value in your office or store it online. Like operating system passwords, increasing the length of a key value lessens the possibility of discovery.
The DES algorithm requires that a key value has a minimum length of eight non-null characters. To improve the security of the key value, specify more than eight characters.
For the AES algorithm, the minimum required key sizes are as follows: