HP OpenVMS Guide to System Security: OpenVMS Version 8.4 > Chapter 9 Using Encryption
The OpenVMS BACKUP utility provides protection against file or volume corruption by creating functionally equivalent backup copies. Files created by BACKUP are called save sets and are written in BACKUP format so that only BACKUP can interpret the data in a save set.When you create save sets, you can also encrypt them by using the BACKUP /ENCRYPT command.
BACKUP /ENCRYPT requires a key. All the files in the save set are encrypted under the same key. When you use the /ENCRYPT qualifier to specify a write operation for an encrypted save set, the BACKUP utility creates a key by generating a 16-byte random number from the time of day and other transient data. To make this random number even more random, BACKUP encrypts this 16-byte value once using itself as a key with the DESCBC algorithm. The first eight bytes of the result are used as the encrypting key for the save set, and the second eight bytes are used as the initialization vector for the context area.
One benefit of this procedure is that two save sets created with the same command from the same set of files are not identical in their encrypted form.
You can override the system-generated encrypting key and initialization vector by issuing either of the following commands:
For greater security, specify the /ENCRYPT qualifier with no parameters. The software prompts you for a key value. When you enter it, the software does not echo what you type and, for verification, prompts you to retype the value.
If you define a key with the ENCRYPT /CREATE_KEY command, specify that key name on the BACKUP command line with the /ENCRYPT=(NAME=(key-name)) qualifier.
By default, BACKUP encrypts save set data using the DESCBC algorithm. The key and algorithm you specify to override the defaults are used to encrypt only the data key and the initialization vector.
BACKUP places the result of the encryption operation in the save set as a BACKUP attribute subrecord of the BACKUP summary record. At the time of a save set restore or listing operation, BACKUP uses the system-generated key or the key you supplied to decrypt the data key and the initialization vector value.
The BACKUP command qualifier /SAVE_SET is both an input save set qualifier and an output save set qualifier, as follows:
The following example creates an encrypted BACKUP file of the default directory, as follows:
The following example creates a save set of the latest version of all the files on a disk. The save set is encrypted using the DESCFB algorithm and the key value Make peace.
When you encrypt a save set, BACKUP does not store the information within the save set. Consequently, to decrypt an encrypted save set, specify /ENCRYPT with the RESTORE command so that BACKUP searches for the data encryption control record.
If you restore an unencrypted save set and mistakenly specify /ENCRYPT, BACKUP ignores the incorrect qualifier. If you try to restore an encrypted saveset without the /ENCYRPT qualifier or with a key name, you get the error message:
The following commands restore file SALARY.DAT from a save set created with a BACKUP /ENCRYPT command:
BACKUP tries to decrypt an encrypted save set by:
BACKUP /ENCRYPT can create a distribution disc that is useful only to a customer who has the key used to encrypt the save sets in the distribution kit.
In the following example, three keys are defined with ENCRYPT /CREATE_KEY commands. With each of these keys, a software distribution disc is created with each product encrypted into its respective save set under a unique key.
The resulting save sets can be restored on a customer's system only if the customer has received the appropriate key by licensing arrangement.
For example, the following commands restore save set WOLKIT:
In the following example, the save set SDXKIT is restored without typing the key name and key value on the command line. Instead, the BACKUP /ENCRYPT command prompts for this information, which is not echoed on your screen.