PGP

Synopsis

HELP:   OpenPGP encryption
TYPE:   OBJECT
SYNTAX: PGP(METHOD=CRYPT/SIGN/ENCSIG,FORMAT=SENC/SEIP/PLAIN,ALGORITHM=AES128/AES192/AES256/TDES/CAST5/IDEA/BLOWFISH/CAMELLIA128/CAMELLIA192/CAMELLIA256/PLAIN,PASSWORD['bin'...],USERID/RECEIVER['str'...],SIGNID/SIGNER='str',SIGHASH=MD5/SHA1/RIPEMD/SHA224/SHA256/SHA384/SHA512,COMPRESS=COPY/GZIP/ZLIB/BZIP/AUTO,ARMOR(),FKM5(),MEMBER='str')

Description

Activates OpenPGP encryption based on passwords or the FLAM5 key management extension (FKM5). To protect the PGP session (data) key with a FKM5 module the library name, function name and corresponding parameter list must be provided.

On mainframe systems, the library name can be empty to choose a load module through the function name from the STEPLIB concatenation. The default library name is "LIBFKM5" on mainframes and "libfkm5" on other platforms. The default function name is "PGPCCA" on IBM and PGPRING on all other systems. Also you can use PGPP11 function if PKCS#11 HSM is available. For more information see FKM5BOOK manual.

Beside the connection parameters to your cryptographic infrastructure you must provide at least one user ID to address the receiver and/or one password. With the user ID specification, the session (data) key is encrypted with public key of this user (if this is found). With the password specification, the session (data) key is encrypted symmetric with derived password. The recipient must know the password.

You can change the key label templates for encryption and signature generation. If signature generation is activated, the owner for signing (and optionally the corresponding template) must be defined.

If you provide more than one passphrase or user ID then additional encrypted session key packets are added to the PGP file to encrypt for different recipients.

The session (data) key will be encrypted with each password and can be decrypted with one of this:

   ENCRYPT.PGP(PASSWORD=a'abcde' PASSWORD=a'123456' PASSWORD=a'FLAM')

The session (data) key will be encrypted for each user (public key) and can be decrypted of one of them:

   ENCRYPT.PGP(USER='limes' USER='schmidt' USER='john')

Mix of user ID and password is also possible:

   ENCRYPT.PGP(USER='limes' USER='schmidt' USER='john' PASSWORD=a'123456')

Passwords can be provided in four different ways:

Don't use the local charset variant if you wish to open the file on different platforms.

To prevent passwords from being logged and for a better protection, we recommend to store passwords in files and use that password file instead passing the password directly.

   ENCRYPT.PGP(PASSWORD=f'pwd.txt')

In a password file, you can define the password in one of the variants described above.

You can choose the compression mode. The default and recommended method is AUTO which uses GZIP raw (RFC1951, called ZIP in RFC4880) compression with level 6, if the data contains redundancy and no compression otherwise. If the data is already compressed, an additional compression can expand the data. The default behavior prevents such an expansion.

Additionally, you can activate ASCII armor encoding for the encrypted data stream.

If PGP encryption is used with write.record(), the file attributes cannot be stored in the PGP file. To solve this, a GZIP file can be produced before or an ARMOR encoding afterwards to store the file attributes, unless the ZIP archive option is selected. The record attributes can be added in front of the record (PRNCTR=RETAIN). By default, a 4 byte length field in little endian is written in front of the data. Such a PGP file can be used on record-oriented platforms to later recreate the original dataset. Be aware that you can get a GZIP file if you read such a file with other tools and that the decoded data can contain length fields and control characters.

Arguments