HELP: OpenPGP encryption TYPE: OBJECT SYNTAX: PGP(METHOD=CRYPT/SIGN/ENCSIG,FORMAT=SENC/SEIP/PLAIN,ALGORITHM=AES128/AES192/AES256/TDES/CAST5/IDEA/BLOWFISH/CAMELLIA128/CAMELLIA192/CAMELLIA256/PLAIN,PASSWORD['bin'...],USERID/RECEIVER['str'...],SIGNID/SIGNER='str',SIGHASH=MD5/SHA1/RIPEMD/SHA224/SHA256/SHA384/SHA512,COMPRESS=COPY/GZIP/ZLIB/BZIP/AUTO,ARMOR(),FKM5(),MEMBER='str')
Activates OpenPGP encryption based on passwords or the FLAM5 key management extension (FKM5). To protect the PGP session (data) key with a FKM5 module the library name, function name and corresponding parameter list must be provided.
On mainframe systems, the library name can be empty to choose a load module through the function name from the STEPLIB concatenation. The default library name is "LIBFKM5" on mainframes and "libfkm5" on other platforms. The default function name is "PGPCCA" on IBM and PGPRING on all other systems. Also you can use PGPP11 function if PKCS#11 HSM is available. For more information see FKM5BOOK manual.
Beside the connection parameters to your cryptographic infrastructure you must provide at least one user ID to address the receiver and/or one password. With the user ID specification, the session (data) key is encrypted with public key of this user (if this is found). With the password specification, the session (data) key is encrypted symmetric with derived password. The recipient must know the password.
You can change the key label templates for encryption and signature generation. If signature generation is activated, the owner for signing (and optionally the corresponding template) must be defined.
If you provide more than one passphrase or user ID then additional encrypted session key packets are added to the PGP file to encrypt for different recipients.
The session (data) key will be encrypted with each password and can be decrypted with one of this:
ENCRYPT.PGP(PASSWORD=a'abcde' PASSWORD=a'123456' PASSWORD=a'FLAM')
The session (data) key will be encrypted for each user (public key) and can be decrypted of one of them:
ENCRYPT.PGP(USER='limes' USER='schmidt' USER='john')
Mix of user ID and password is also possible:
ENCRYPT.PGP(USER='limes' USER='schmidt' USER='john' PASSWORD=a'123456')
Passwords can be provided in four different ways:
password=a'ascii'
password=e'ebcdic'
password=x'hex'
password='system'
Don't use the local charset variant if you wish to open the file on different platforms.
To prevent passwords from being logged and for a better protection, we recommend to store passwords in files and use that password file instead passing the password directly.
ENCRYPT.PGP(PASSWORD=f'pwd.txt')
In a password file, you can define the password in one of the variants described above.
You can choose the compression mode. The default and recommended method is AUTO which uses GZIP raw (RFC1951, called ZIP in RFC4880) compression with level 6, if the data contains redundancy and no compression otherwise. If the data is already compressed, an additional compression can expand the data. The default behavior prevents such an expansion.
Additionally, you can activate ASCII armor encoding for the encrypted data stream.
If PGP encryption is used with write.record(), the file attributes cannot be stored in the PGP file. To solve this, a GZIP file can be produced before or an ARMOR encoding afterwards to store the file attributes, unless the ZIP archive option is selected. The record attributes can be added in front of the record (PRNCTR=RETAIN). By default, a 4 byte length field in little endian is written in front of the data. Such a PGP file can be used on record-oriented platforms to later recreate the original dataset. Be aware that you can get a GZIP file if you read such a file with other tools and that the decoded data can contain length fields and control characters.
NUMBER: METHOD=CRYPT/SIGN/ENCSIG - Method for OpenPGP encryption and signing [CRYPT]
CRYPT - Only encryption
SIGN - Only signatures
ENCSIG - Encryption and signing
NUMBER: FORMAT=SENC/SEIP/PLAIN - Format for symmetric data encryption [SEIP]
SENC - Symmetrically encrypted
SEIP - Symmetrically encrypted and integrity protected
PLAIN - No encryption (plain text)
NUMBER: ALGORITHM=AES128/AES192/AES256/TDES/CAST5/IDEA/BLOWFISH/CAMELLIA128/CAMELLIA192/CAMELLIA256/PLAIN - Algorithm for symmetric data encryption [preferred]
AES128 - AES (Rijndael) with 128 bit (16 byte) key length
AES192 - AES (Rijndael) with 192 bit (24 byte) key length
AES256 - AES (Rijndael) with 256 bit (32 byte) key length
TDES - Triple DES with 192 bit (24 byte) key length
CAST5 - CAST5 with 128 bit (16 byte) key length
IDEA - IDEA with 128 bit (16 byte) key length
BLOWFISH - Blowfish with 128 bit (16 byte) key length
CAMELLIA128 - CAMELLIA with 128 bit (16 byte) key length
CAMELLIA192 - CAMELLIA with 192 bit (24 byte) key length
CAMELLIA256 - CAMELLIA with 256 bit (32 byte) key length
PLAIN - No encryption (plain text)
STRING: PASSWORD['bin'...] - Passphrases for symmetrically encryption
STRING: USERID/RECEIVER['str'...] - Receiver user IDs for public key encryption
STRING: SIGNID/SIGNER='str' - Owner user ID for signing
NUMBER: SIGHASH=MD5/SHA1/RIPEMD/SHA224/SHA256/SHA384/SHA512 - Hash algorithm for signature generation [preferred]
MD5 - 128 bit (16 byte) MD5 checksum
SHA1 - 160 bit (20 byte) SHA checksum
RIPEMD - 160 bit (20 byte) RipeMD checksum
SHA224 - 224 bit (28 byte) SHA checksum
SHA256 - 256 bit (32 byte) SHA checksum
SHA384 - 384 bit (48 byte) SHA checksum
SHA512 - 512 bit (64 byte) SHA checksum
NUMBER: COMPRESS=COPY/GZIP/ZLIB/BZIP/AUTO - Method used for compression [auto]
COPY - Copy / no compression
GZIP - Raw GZIP compression (RFC1951)
ZLIB - ZLIB compression (RFC1950)
BZIP - BZIP2 compression
AUTO - If redundancies then GZIP else COPY
STRING: MEMBER='str' - File name for header [origin]