The following shows encrypting data, including creating the data encryption key mechanisms and using BACKUP encryption.

The following DCL is intended as a demonstration. How you choose to implement encryption (file-based, magnetic tape (magtape) tape backup or otherwise) will vary.

$ set noon
$! This is an example of creating and loading an AES encryption key
$! and the use of the DCL command ENCRYPT and DECRYPT for a file, 
$! and then encryption and decryption of a BACKUP saveset.
$!
$! The DUMP command is used to display the original or the encrypted
$! data at various points in this sequence.  This usage to avoid the 
$! problems that are inherent when displaying a binary (encrypted) data
$! file on a terminal emulator or terminal display device.
$
$! make up a key now, just to show how this works.
$! This loads the AES key "TheQuickBrownFoxJumpedOverTheLazyDog" into memory.
$ write sys$output "creating an AES key now"
$ encrypt /create_key /AES key1 "TheQuickBrownFoxJumpedOverTheLazyDog"
$
$! set up the first test environment
$ if f$search("sys$scratch:encryptiontest%.tmp") then delete sys$scratch:encryptiontest%.tmp;*
$ copy 'f$environment("PROCEDURE")' sys$scratch:encryptiontest1.tmp
$ dump/block=end=1 sys$scratch:encryptiontest1.tmp
$
$! directly encrypt and decrypt a specific file.
$ encrypt/output=sys$scratch:encryptiontest2.tmp -
  /DATA_ALGORITHM=AES /KEY_ALGORITHM=AES -
  sys$scratch:encryptiontest1.tmp key1
$ dump/block=end=1 sys$scratch:encryptiontest2.tmp
$ decrypt/output=sys$scratch:encryptiontest3.tmp -
  /KEY_ALGORITHM=AES -
  sys$scratch:encryptiontest2.tmp key1
$ dump/block=end=1 sys$scratch:encryptiontest3.tmp
$
$! set up the second test environment
$ if f$search("sys$scratch:encryptiontest%.tmp") then delete sys$scratch:encryptiontest%.tmp;*
$ copy 'f$environment("PROCEDURE")' sys$scratch:encryptiontesta.tmp
$
$! perform the backup, list the (encrypted) saveset, then restore the file
$ backup  /ENCRYPT=(NAME=key1,ALGORITHM=AES) -
  sys$scratch:encryptiontesta.tmp;0 sys$scratch:encryptiontestb.tmp/save
$ backup  /ENCRYPT=(NAME=key1,ALGORITHM=AES) -
  sys$scratch:encryptiontestb.tmp/save /list
$ if f$search("sys$scratch:encryptiontesta.tmp") then delete sys$scratch:encryptiontesta.tmp;*
$ backup  /ENCRYPT=(NAME=key1,ALGORITHM=AES) -
  sys$scratch:encryptiontestb.tmp/save /replace sys$scratch:
$ dump/block=end=1 sys$scratch:encryptiontesta.tmp
$
$! clear the encryption key from memory.
$ encrypt /remove_key key1 
$ if f$search("sys$scratch:encryptiontest%.tmp") then delete sys$scratch:encryptiontest%.tmp;*
$ exit
$ 

Encryption Licensing and Software Kits

The license for the OpenVMS Encryption Support is included with OpenVMS V8.2 and later. A separate license is required for earlier OpenVMS releases.

OpenVMS V8.3 and later include integrated encryption support and software. OpenVMS V8.2-1 and prior releases require separate installation of an encryption layered product kit; installing additional software into OpenVMS.

All (known) versions of the OpenVMS Encryption software include the DES encryption algorithm. The software included in V8.3 and later adds AES encryption; various of the Rijndael algorithms.

Alternative Encryption Packages

A port of the GNU Privacy Guard (GnuPG, gpg) software is available from HP and from Steven Schweda's Antinode.info; the latter software port is currently more stable than the HP gpg port.

Caveat

Encryption is not a panacea. Encryption is not magic pixie dust. Encryption blocks specific types of attacks.

Errant or incomplete or incorrectly-implemented encryption can be little better than no encryption, and incorrectly-implemented encryption can be more work for less security.