The following DMS commands and macros are available for file encryption:

Encryption

An unencrypted file is converted into an encrypted file using the ENCFILE macro or the ENCRYPT-FILE command. If a reference file that has already been encrypted is specified instead of the crypto password, the file is assigned the same encryption attributes as the reference file, in particular the same crypto password. The file need only be cataloged for encryption.

When an unencrypted file is converted into an encrypted file, the read and/or execute password (READ-/EXEC-PASSWORD) is deleted.

The encryption method (AES or DES) defined in the system parameter is used for conversion to an encrypted file and is then linked to the file.

Encryption is possible for an owner’s files or for co-owned files (as is the authorization to create a file) and can only take place locally, not via RFA.

Access to encrypted files

The ADD-CRYPTO-PASSWORD command stores the crypto password in the task’s crypto password table. Only with the correct crypto password is it possible to open a file to access the unencrypted content.

When an encrypted file is simply moved, no crypto password is required.

The crypto passwords are stored in the crypto password table in permanently encrypted form only, regardless of the system parameter for encrypting file passwords.

If a procedure contains a crypto password (e.g. in an ADD-CRYPTO-PASSWORD
command) and should thus be made unreadable for third parties – in particular for the executing party – it is advisable to use SDF-P compilation with automatic permanent encryption (see "Processing encrypted files in procedures" (Application scenarios)). For details on the use of SDF-P see the “SDF-P” manual [17 (Related publications)].

The REMOVE-CRYPTO-PASSWORD command is used to remove a crypto password from the crypto password table of the ongoing task. It is not possible to decrypt files which are encrypted with this crypto password.

The ADD-/REMOVE-CRYPTO-PASSWORD commands are automatically forwarded to all RFA partner processes.

Decryption

The DECFILE macro or DECRYPT-FILE command is used to convert an encrypted file back into a decrypted file. The crypto password must be specified before the function is called.

Decryption is possible for an owner’s files or for co-owned files (as is the authorization to create a file) and can only take place locally, not via RFA.

Further dependencies

CONCATENATE-DISK-FILES
The crypto password must be specified to conatenate encrypted SAM files (with ADD-CRYPTO-PASSWORD).

COPY-FILE
The encryption attributes are - as far as possible - taken over from the source file to the target file. The content of the file is copied 1:1. It is not necessary to specify the crypto password.
If the encryption attributes cannot be taken over, the crypto password must be specified (ADD-CRYPTO-PASSWORD). This is the case, for example, if the target file cannot be encrypted or if the target is a file generation with the uniform file protection attributes of the file generation group.

DELETE-FILE
A file selection which is dependent on the file encryption is offered, in other words according to the values of the file attribute ENCRYPTION.

MODIFY-FILE-ATTRIBUTES
If en encrypted file has a catalog entry but as yet no storage space, it may not be allocated storage space or a tape type on private disk.
Encryption attributes cannot be modified. Modifications to the read/execute password are ignored in the case of encrypted files.

REPAIR-DISK-FILES
In order to repair encrypted ISAM files you must specify the associated crypto password (ADD-CRYPTO-PASSWORD). The file copy is assigned - as far as possible - the same encryption attributes.

SHOW-FILE
The content of an encrypted file is displayed in encrypted form. You must specify the crypto password here (ADD-CRYPTO-PASSWORD).

SHOW-FILE-ATTRIBUTES
The file attribute ENCRYPTION in the SECURITY section indicates whether and with which method (AES or DES) a file is encrypted. A file selection is offered in accordance with these values.