[SAP HANA Academy] SPS08 What’s New: Data Volume Encryption
In this video tutorial SAP HANA Academy’s Denys van Kempen discusses SAP HANA’s Data Volume Encryption as part the “What’s New” video series for SPS 08. Denys shows how to enable data volume encryption when installing or upgrading SAP HANA and how to create a new page encryption key.
Introduction to Data Volume Encryption (0:00 – 1:35)
To protect persisted data form unauthorized access at the operating system level SAP HANA supports data encryption in the persistence layer. The persistence layer controls the save, backup, and restore operations. This vital layer of the in-memory database guarantees that data will never be lost.
Ideally a user would enable data volume encryption immediately after installing or upgrading SAP HANA. This provides complete protection by ensuring that a new root data volume encryption key is generated at the onset.
Generating a New Root Key When Installing or Upgrading SAP HANA (1:35 – 3:30)
Assuming that SAP HANA has just been installed or upgraded, Denys opens a terminal session to the SAP HANA host and connects to the operating system using user sid80m. Denys generates a root encryption key by entering hdbnsutil –generateRootKeyts –type=ALL into the command line. Then after typing yes a new root key is generated.
Word of caution: A user should NOT generate a new root encryption key after persistence encryption has been enabled as it will render the SAP HANA database unusable.
By selecting the check mark for encrypt data volume in SAP HANA Studio and then clicking the refresh button will activate the data encryption after the next save point.
Manually Triggering a Save Point (3:30 – 4:18)
In the HBD System console in SAP HANA Studio Denys enters ALTER SYSTEM SAVEPOINT and executes the command. Now all of the data will begin to be encrypted. The encryption process is dependent on the size of the data’s volume and can be a very time consuming process.
Creating a New Page Encryption Key (4:19 – 6:10)
SAP recommends periodically changing the page encryption key to limit the potential impact of a key becoming compromised. In SAP HANA Studio click on the key button in the top right corner of the Security HDB System console and click yes to create a new page encryption key.
Additional Background Information (6:10 – 9:10)
SAP HANA’s Data volume encryption uses the AES 20056 CBC algorithm. For more information on the Advanced Encryption Standard visit this page.
The persistent encryption root key is stored using the SAP Netweaver secure storage in the file system SSFS functionality. SAP HANA uses SSFS to protect the root encryption keys.
If you want to protect lock flies you can uses the operating system to encrypt at the file system level. If you want to encrypt the entire back up you can use third party systems to integrate with the backend.
For more information on persistent encryption see the SAP HANA Administration Guide and the SAP HANA Security Guide. For more information on SAP HANA security please check out this presentation.
Check out Denys’ video on the Data Volume Encryption feature of SAP HANA SPS08.
View more tutorial videos about SAP HANA SPS08 at the SAP HANA Academy.
SAP HANA Academy – over 500 free tutorial technical videos on using SAP HANA.
-Tom Flanagan
SAP HANA Academy
Hi - Great video, thanks. Is there any best practice or SAP notes that cover how to refresh, copy, or create sandboxes once volume encryption is enabled?
I know that data is decrypted upon load into memory, what does that mean when using a HANA native backup to refresh test w/ prod or restoring one systems backup into another HANA, for instance to create a sandbox?