flcl_manual-flcl_commands-conv-read-binary-decrypt-pgp

PGP

Synopsis

HELP:   OpenPGP decryption
TYPE:   OBJECT
SYNTAX: PGP(PASSWORD='bin',NOSIGVERIFY,ENCRYPED,INTEGRITY,SIGNING,INTERIM,USERID='str',TIMESTAMP=num,FKM5(),REENCYPT())

Description

Activates OpenPGP decryption based on passphrases or the FLAM key management extension version 5 (FKM5). If the PGP data key protected by an FKM5 module then the library name, function name and corresponding parameter list must be provided.

On mainframe systems, the library name can be empty to choose a load module by function name from the STEPLIB concatenation. The default library name is "LIBFKME" on mainframes and "libfkme" on other platforms. The default function name is "PGPCCA" on IBM and PGPP11 on all other platforms.

Beside the FKM5 parameters needed to use your cryptographic infrastructure, you can change the key label templates for decryption and signature verification. You may also deactivate the PGP signature verification, in which case the signature template is ignored.

Uses a password for OpenPGP password-based decryption. Passwords can be provided in four different ways:

In ASCII format: PASSWORD=a'ascii'
In EBCDIC format: PASSWORD=e'ebcdic'
In hexadecimal format: PASSWORD=x'hex'
In local charset: PASSWORD='system'

Don't use the local charset variant if you wish to open the file on different platforms.

To prevent passwords from being logged and for a better protection, we recommend to store passwords in files and use that password file instead passing the password directly.

   DECRYPT.PGP(PASSWORD=f'pwd.txt')

In a password file, you can define the password in one of the variants described above.

Normally the key is chosen based on the key id provided in the PGP message. Some tools like GunPG support hidden recipients, where no key ID is stored. In such a case, the user ID must be provided to read the encrypted PGP file. If there are multiple keys for the same user ID and the required key is not the currently active key (i.e. the youngest of valid keys at the current point in time), a timestamp must also be provided which is used instead of the current time. It must be within the validity period of the key. Setting a timestamp has the same effect as setting the system time to the timestamp. So, if you specify a timestamp one year in the future, the key is selected that matches the user ID and is the youngest of valid keys at the date one year from now. If there is more than one matching key (multiple keys with same user ID and creation date), the key with the shortest validity period is chosen.

Arguments

STRING: PASSWORD='bin' - Passphrase of symmetrically encrypted OpenPGP File
SWITCH: NOSIGVERIFY - Disable signature verification [FALSE]
SWITCH: ENCRYPED - Enforce an error of PGP file is not encrypted [FALSE]
SWITCH: INTEGRITY - Enforce an error if PGP file is not integrity protected [FALSE]
SWITCH: SIGNING - Enforce an error if PGP file is not signed [FALSE]
SWITCH: INTERIM - Allow interim (no plain text) results [FALSE]
STRING: USERID='str' - Receiver user ID for decryption (only for hidden recipients)
NUMBER: TIMESTAMP=num - Time stamp (seconds since 1970) used for key selection [0 - current]