Encrypts files by default with the Data Encryption Standard (DES) algorithm in Cipher Block Chaining (CBC) mode unless otherwise specified with the /KEY_ALGORITHM and /DATA ALGORITHM qualifiers. Before you enter this command, create a key with the ENCRYPT /CREATE_KEY command. The key specified must match the algorithm (DES or AES).

Format

ENCRYPT input-file key-name [qualifiers]

Parameters

input-file

File names of the files to encrypt. If you use wildcard characters, do not include directory files or files with bad blocks.

key-name

Key name previously stored in the key storage table with the ENCRYPT /CREATE_KEY command.

Qualifiers

/BACKUP[=time]

Selects files according to the dates of their most recent backup.

This qualifier is relevant only when used with the /BEFORE or the /SINCE qualifier. In addition, do not use /BACKUP with /EXPIRED or /MODIFIED.

If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual.

/BEFORE[=time]

Selects files that have a creation time before the time you specify.

If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual.

/BY_OWNER[=uic]

/NOBY_OWNER

Selects files with the owner UIC you specify.

If you omit uic, the UIC of the current process is used. For more information on specifying UIC format, see the OpenVMS User's Manual.

/COMPRESS

/NOCOMPRESS

Optional. Default: /NOCOMPRESS.

Controls whether or not data compression occurs before a file is encrypted.

/CONFIRM

/NOCONFIRM

Controls whether or not a confirmation request is displayed before each encryption, as follows:

Response	Meaning
YES	Encrypts the file
NO or [Return]	Does not encrypt the file (default)
QUIT or [Ctrl/Z]	Does not encrypt the file or any subsequent files
ALL	Encrypts the file plus all subsequent files

/DATA_ALGORITHM= {DESCBC (default) | AESmmmkkk}

Where mmm is the mode CBC, ECB, CFB, or OFB; and kkk is 128, 192, or 256 bits. Cipher Block Chaining (CBC) and Electronic Code Book (ECB) are 16-byte block modes, meaning blocks are padded to 16 bytes if necessary during encryption. The padding is removed during decruption. Cipher Feedback (CFB) and Output Feedback (OFB) are 8-bit character stream mode emulation, useful in data communications and where no padding is required.

Note that /DATA_ALGORITM=AES is a shortcut for specifying AESCBC128.

The data algorithm is used with the randomly generated key to perform encryption of the file's data. When specifying an AES algorithm, specify both /KEY and /DATA=AESmmmkkk qualifiers and use an AES created key.

/DELETE

/NODELETE

Controls whether or not the input files are deleted after the encryption operation is complete and the output file is written and closed. By default, the input file is not deleted.

/ERASE

/NOERASE

Controls whether or not the input files are erased with the data security pattern before being deleted. By default, the location in which the data was stored is not overwritten with the data security pattern. The /ERASE qualifier must be used with /DELETE.

/EXCLUDE=file-spec

/NOEXCLUDE

Excludes the specified files from the encryption operation. You can use wildcard characters. You do not need to enter an entire file specification. Any field that you omit defaults to the input file specification.

Beacuse directory files are never encrypted, you need not specify them.

/EXPIRED[=time]

Selects files according to the dates on which they expire.

This qualifier is relevant only when used with the /BEFORE or the /SINCE qualifier. In addition, do not use /EXPIRED with /BACKUP or /MODIFIED.

If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual.

/KEY_ALGORITHM= {DESCBC (default) | AESmmmkkk}

Where mmm is the mode CBC, ECB, CFB, or OFB; and kkk is 128, 192, or 256 bits. Note that /KEY_ALGORITHM=AES is a shortcut for specifying AESCBC128.

The command uses this key algorithm with the key you supply to encrypt the randomly generated data encryption key and the initialization vector stored within the file.

When specifying an AES algorithm, specify both /KEY and /DATA qualifiers and use an AES created key.

/MODIFIED[=time]

Selects files according to the dates on which they were last modified.

This qualifier is relevant only when used with the /BEFORE or the /SINCE qualifier. In addition, do not use /MODIFIED with /BACKUP or /EXPIRED.

If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual.

/OUTPUT=file-spec

Alternate output file name for the encryption operation. By default, each input file encrypted is written to a separate output file that is one version higher than the highest version of the input file. When using the /OUTPUT qualifier, specify the parts of the file specification different from the defaults. You do not need to provide an entire file specification. Any field that you omit defaults to the input file specification.

/SHOW=keyword-list

Controls whether or not the following information about the encryption operation is displayed on SYS$COMMAND:

Keyword	Meaning
FILES	Displays input and output file names on SYS$COMMAND
STATISTICS	Displays the encryption stream statistics: Bytes processed Internal records processed CPU time consumed within the encryption algorithm

/SINCE[=time]

Selects files that have a creation date before the time you specify.

If you omit time, TODAY is used. For more information on time specifications, see the OpenVMS User's Manual.

/STATISTICS

Similar to /SHOW, except that /STATISTICS lists both files and statistics, whereas /SHOW can be customized to list only one or the other.

/VERSION

Displays the version number of the Encryption for OpenVMS software running on your system.

Examples

$ ENCRYPT TROY MYKEY
      

Encrypts the file TROY using the key MYKEY.

$ ENCRYPT NEWFILE.TXT MONET/KEY_ALGORITHM=AESCBC128/DATA_ALGORITHM=AESCBC128
      

Encrypts the file NEWFILE.TXT with the AES key, MONET, using the algorithm AESCBC128. A new version, NEWFILE.TXT;n+1, of the original file (now encrypted) is created. Use the /OUTPUT=filename qualifier to preserve the original file name, renaming the encrypted output file.