Encryption on VMS - comp.os.vms

Does anyone know of a fast encryption tool for use on VMS? I have a customer who sent some tapes through UPS, and one got lost. This scared the hell out of them when they realised how much personal data was on there. They now want those tapes encrypted. I've tested with PGP for VMS, and it failed to encrypt and decrypt the save set properly. I tried GPG, and it took 11 hours to encrypt, which is way too long. I know there's an encryption subsystem in VMS 7.3-1 and upwards, but I'll have to put together a spare machine on that version to try it (I'm stuck in a 6.2 backwater for various reasons.) Does anyone have any good suggestions? As the customer put it, we're not trying to defeat a determined attack from the military, just do due dilligence. Shane ##### #-O-O-# # L # "The universe runs on the complex interweaving of three elements: #===# energy, matter and enlightened self-interest." - G'Kar, Babylon 5 ### "Bad things happen when the 'enlightened' bit is missing." - Shane

From: res0o7il@yahoo.com > Does anyone know of a fast encryption tool for use on VMS? I have a > customer who sent some tapes through UPS, and one got lost. This > scared the hell out of them when they realised how much personal data > was on there. They now want those tapes encrypted. > > I've tested with PGP for VMS, and it failed to encrypt and decrypt the > save set properly. Does that mean that merely running the usual attribute restoration procedure doesn't fix everything? If proper attribute preservation is critical for some reason, is there any reason not to use "zip -V" on the data file before doing the encryption? > I tried GPG, and it took 11 hours to encrypt, which > is way too long. Which "PGP for VMS"? Which "GPG"? Eleven hours for how much stuff? Running on what? Fast compared to what? How good do you want the encryption? Nowadays, I'd expect most folks to use GnuPG instead of PGP, but I wouldn't expect much of a speed difference between them. (Of course, I don't run more than trivial tests on any of the stuff, so my opinion may lack value.) > I know there's an encryption subsystem in VMS 7.3-1 > and upwards, but I'll have to put together a spare machine on that > version to try it (I'm stuck in a 6.2 backwater for various reasons.) So, are you looking for a solution on VMS V6.2 or on something less obsolete? > Does anyone have any good suggestions? As the customer put it, we're > not trying to defeat a determined attack from the military, just do > due dilligence. That rather depends on how much dilligence is due. If rather low-quality encryption would be adequate, then you might consider using that built into Zip and UnZip. Not knowing exactly what you've tried so far, let alone where the performance bottleneck is on what you've tried so far, or what your actual requirements are, it'd be tough to make any firm recommendations, even if I knew something. ------------------------------------------------------------------------ Steven M. Schweda sms@antinode-org 382 South Warwick Street (+1) 651-699-9818 Saint Paul MN 55105-2547

On Mar 3, 7:15 pm, res0o...@yahoo.com wrote: > Does anyone know of a fast encryption tool for use on VMS? I have a > customer who sent some tapes through UPS, and one got lost. This > scared the hell out of them when they realised how much personal data > was on there. They now want those tapes encrypted. > > I've tested with PGP for VMS, and it failed to encrypt and decrypt the > save set properly. I tried GPG, and it took 11 hours to encrypt, which > is way too long. I know there's an encryption subsystem in VMS 7.3-1 > and upwards, but I'll have to put together a spare machine on that > version to try it (I'm stuck in a 6.2 backwater for various reasons.) > > Does anyone have any good suggestions? As the customer put it, we're > not trying to defeat a determined attack from the military, just do > due dilligence. For of all, all software-based encryption sucks. The slower the hardware, the more it sucks. I don't know if encryption module for VMS Backup makes it much better, but I suspect that there's not much you are going to be able to do with software-based encryption. Given that you're at 6.2, your options are certainly limited, and your hardware probably isn't all that fast. I'd suggest that you look at a hardware-based encryption device if you're doing this more than once. Contact your local NetApp dealer and enquire into a Decru encryption device. They make SCSI versions that hang between your system and your tape drive (and also fibre channel ones but I suspect you don't have have that installed or you'd be more current on the OS). For our environment, we run the NetBackup client on VMS (and it's awesome) and pump all the data to fibre-attached LTO-3 drives front- ended by Decru encryption appliances. It works like a charm. .../Ed

In article <343a8643-1669-4cab-a933-6013743b6bbe@e23g2000prf.googlegroups.com>, res0o7il@yahoo.com writes: > I've tested with PGP for VMS, and it failed to encrypt and decrypt the > save set properly. I tried GPG, and it took 11 hours to encrypt, which > is way too long. I know there's an encryption subsystem in VMS 7.3-1 > and upwards, but I'll have to put together a spare machine on that > version to try it (I'm stuck in a 6.2 backwater for various reasons.) The encryption built into VMS 8.3 was previously the layered product VMS Encryption, previously called VAX Encryption. Version 1.0 was released in July of 1985, well before VMS V6.2 was released. Since VMS Encryption is designed to automatically integrate with the BACKUP command, I see no reason to start looking elsewhere.

I think I need to clarify some stuff. I used the only copy of PGP for VMS I could find, one dating back to 1996. It ran for about 40 minutes to encrypt the save set, with no errors. However, when I decrypted I only got a tenth of the save set back. There were no errors reported. I used the GPG provided by the VMS Security team. It took eleven hours to encrypt the save set, which is an image backup of a large RAID disk. I can't get to the machine to check the size right now (VPN problems), but it's several gig. My machine is on VMS 6.2, but the customer's machine is on 7.3-2. They have the encryption subsystem, we don't. I do have a couple of machines I could load the later version of VMS onto, but I'd rather not unless I know it's going to be a productive operation. Larry, you mention that there's an encryption product that integrates with VMS backup. I don't seem to have that on VMS 6.2 Alpha. Would that be on the VMS distribution CDs somewhere, or does the Alpha version not turn up until 8.3? Shane ##### #-O-O-# # L # #===# ###

On Mar 5, 12:57 pm, res0o...@yahoo.com wrote: > Just managed to get into the target machine. The save set I need to > encrypt is 74,525,913 blocks. > > Shane > > ##### > #-O-O-# > # L # > #===# > ### Are you encrypting directly to tape? If you are creating an on-disk file, have you tried SET FILE/RMS_EXTEND=<huge number>/BLOCK=127? AEF

In article <d39c3afd-3757-4190-ada0-b4e45ccc996f@s37g2000prg.googlegroups.com>, res0o7il@yahoo.com writes: > Larry, you mention that there's an encryption product that integrates > with VMS backup. I don't seem to have that on VMS 6.2 Alpha. Would > that be on the VMS distribution CDs somewhere, or does the Alpha > version not turn up until 8.3? I believe it may have been distributed separately due to ITAR status at the time. Since then things have changed, and they could include it with other software. In fact, they do :-)

Larry Kilgallen wrote: > In article <d39c3afd-3757-4190-ada0-b4e45ccc996f@s37g2000prg.googlegroups.com>, res0o7il@yahoo.com writes: > > > Larry, you mention that there's an encryption product that integrates > > with VMS backup. I don't seem to have that on VMS 6.2 Alpha. Would > > that be on the VMS distribution CDs somewhere, or does the Alpha > > version not turn up until 8.3? > > I believe it may have been distributed separately due to ITAR status > at the time. Since then things have changed, and they could include > it with other software. In fact, they do :-) Any search for encryption on HP's website takes me to the Open Source Security for VMS, which is an API rather than a complete product. Can anyone point me to a download location for the ENCRYPT package that'll work on 7.3-2, or does anyone have said package that would be willing to send it to me by some means? Shane

In article <652e21b5-a50a-4387-b64f-0248bcaad952@h11g2000prf.googlegroups.com>, res0o7il@yahoo.com writes: > Any search for encryption on HP's website takes me to the Open Source > Security for VMS, which is an API rather than a complete product. Can > anyone point me to a download location for the ENCRYPT package that'll > work on 7.3-2, or does anyone have said package that would be willing > to send it to me by some means? HP is not in the habit of making licensed products available for download. Buy it from your HP representative. http://docs.hp.com/en/12752/SPDEncryptionV16.pdf The license for the latest version also covers prior versions, although you might need to buy older media than V1.6.

Some bearded guy named Shane wrote: > Can > anyone point me to a download location for the ENCRYPT package that'll > work on 7.3-2, or does anyone have said package that would be willing > to send it to me by some means? > $DISK2:[KITS]CD_CONTENTS.DEC04;1 > > "Encryption for OpenVMS - VAX" 081AA 1 > .6 SSB NCH Y N N ENCRYPT016 2 > > ****************************** > $DISK2:[KITS]cd_contents.dec06;1 > > "Encryption for OpenVMS Alpha" 597AA 1.6 > SSB NCH Y N N ENCRYPT016 4 I could arrange for a psychic to utter the proper incantantations to cause the contents on reflective slow spinning polycarbonate disks to magically mirror themselves onto a metal oxyde disk spinning at high speed, at which point, you might be able to use FTP to take a good picture of them, assuming they do not have vampire capabilities and become invisible to FTP :-) You can contact me privately. remove the spamnot when replying. Please specify vax or alpha.

JF Mezei wrote: > Some bearded guy named Shane wrote: > > > Can > > anyone point me to a download location for the ENCRYPT package that'll > > work on 7.3-2, or does anyone have said package that would be willing > > to send it to me by some means? > > > $DISK2:[KITS]CD_CONTENTS.DEC04;1 > > > > "Encryption for OpenVMS - VAX" 081AA 1 > > .6 SSB NCH Y N N ENCRYPT016 2 > > > > ****************************** > > $DISK2:[KITS]cd_contents.dec06;1 > > > > "Encryption for OpenVMS Alpha" 597AA 1.6 > > SSB NCH Y N N ENCRYPT016 4 > > > I could arrange for a psychic to utter the proper incantantations to > cause the contents on reflective slow spinning polycarbonate disks to > magically mirror themselves onto a metal oxyde disk spinning at high > speed, at which point, you might be able to use FTP to take a good > picture of them, assuming they do not have vampire capabilities and > become invisible to FTP :-) > > You can contact me privately. remove the spamnot when replying. Please > specify vax or alpha. Thanks JF, I'll do that. BTW, Larry, I have a funky EOM license set that almost certainly covers this. "OpenVMS Kitchen sink" is the third license from the bottom of the list...

In message <f80e0813-38b5-440b-ac0b-57d53ae7ac96@f47g2000hsd.googlegroups.com>, ewilts@ewilts.org writes: >On Mar 3, 7:15 pm, res0o...@yahoo.com wrote: >> I've tested with PGP for VMS, and it failed to encrypt and decrypt the >> save set properly. I tried GPG, and it took 11 hours to encrypt, which >> is way too long. I know there's an encryption subsystem in VMS 7.3-1 >> and upwards, but I'll have to put together a spare machine on that >> version to try it (I'm stuck in a 6.2 backwater for various reasons.) >> > >For of all, all software-based encryption sucks. The slower the >hardware, the more it sucks. I don't know if encryption module for >VMS Backup makes it much better, but I suspect that there's not much >you are going to be able to do with software-based encryption. Given >that you're at 6.2, your options are certainly limited, and your >hardware probably isn't all that fast. I wrote a version of the Windows AxCrypt program, which uses AES-128, for VMS. When I got 8.3, I tested the speed of the open source rijndael module AxCrypt uses against the native VMS AES encryption. The open source version is about 3 times faster. The attitude that 'anyone with serious encryption needs will buy hardware to do it' breaks down when encryption becomes expected for normal operations. On a DS15, I test encrypted a 24,000,000 block saveset in 32 minutes. In addition to the encryption, the axcrypt file format also needs you to compute a SHA-1-based checksum of the resulting headers+data. David L. Jones | Phone: (614) 271-6718 Ohio State University | Internet: 140 W. 19th St. | jonesd@ecr6.ohio-state.edu Columbus, OH 43210 | vman+@osu.edu Disclaimer: I'm looking for marbles all day long.

On 4 Mar, 04:15, ewi...@ewilts.org wrote: > For our environment, we run the NetBackup client on VMS (and it's > awesome) and pump all the data to fibre-attached LTO-3 drives front- > ended by Decru encryption appliances. It works like a charm. > > .../Ed If you don't want to use hardware and you are using Netbackup then Symantec supplies a plug in for the Netbackup Media Server which encrypts and compresses at the media server itself. You need the compression option because if you normally backup data that can be compressed to a drive which supports HW compression then encrypting the data first will defeat your hardware compression device reducing the capacity of your backup tapes. Regards Andrew

On Mar 12, 11:02 am, Andrew <andrew_harri...@symantec.com> wrote: > On 4 Mar, 04:15, ewi...@ewilts.org wrote: > > > For our environment, we run the NetBackup client on VMS (and it's > > awesome) and pump all the data to fibre-attached LTO-3 drives front- > > ended by Decru encryption appliances. It works like a charm. > > > .../Ed > > If you don't want to use hardware and you are using Netbackup then > Symantec supplies a plug in for the Netbackup Media Server which > encrypts and compresses at the media server itself. You need the > compression option because if you normally backup data that can be > compressed to a drive which supports HW compression then encrypting > the data first will defeat your hardware compression device reducing > the capacity of your backup tapes. I don't know if this is true in LTO-4 or not, but the Decru appliances compress and encrypt on the fly. You do not waste space on tapes by using these devices. .../Ed

On 12 Mar, 18:00, ewi...@ewilts.org wrote: > On Mar 12, 11:02 am, Andrew <andrew_harri...@symantec.com> wrote: > > > On 4 Mar, 04:15, ewi...@ewilts.org wrote: > > > > For our environment, we run the NetBackup client on VMS (and it's > > > awesome) and pump all the data to fibre-attached LTO-3 drives front- > > > ended by Decru encryption appliances. It works like a charm. > > > > .../Ed > > > If you don't want to use hardware and you are using Netbackup then > > Symantec supplies a plug in for the Netbackup Media Server which > > encrypts and compresses at the media server itself. You need the > > compression option because if you normally backup data that can be > > compressed to a drive which supports HW compression then encrypting > > the data first will defeat your hardware compression device reducing > > the capacity of your backup tapes. > > I don't know if this is true in LTO-4 or not, but the Decru appliances > compress and encrypt on the fly. You do not waste space on tapes by > using these devices. > > .../Ed Decru provide an inline hardware compression and encryption device. LTO-4 drives also provide drive based encryption and compression as do the STK 10000 series drives. IBM also have a proprietary encrypting drive. The issue with LTO-4, STK etc isn't the ability to encrypt but how you manage the keys. Regards Andrew