Managing Encryption Keys for SAP HANA Express – by the SAP HANA Academy
In this playlist you will find video tutorials about miscellaneous topics; some included in the Getting Started with SAP HANA express edition guide (PDF) that comes with the download, others not (yet). Some examples:
- Using International Keyboards (VM), in which Philip Mugglestone explains how to enter the password on an AZERTY keyboard
- Start and Stop SAP HANA on the VM – **Spoiler Alert!** – it is not the Reset button on the VM player
- Connecting with Terminal, or how to enable Copy and Paste
.. and there is more to come.
In this blog, I will provide some background about an important security topic: managing encryption keys.
SAP HANA uses the same technology as ABAP systems to protect encryption root keys, namely, the secure store in the file system (SSFS).
This technology is used for two different purposes:
- Secure internal communication channels (PKI SSFS)
- Server-side data encryption (instance SSFS)
All internal SAP HANA communication can be secured using TLS/SSL and for this a public-key infrastructure (PKI) is set up during installation. These keys are stored in the PKI SSFS.
The figure below shows some examples where this is used. For SAP HANA, express edition, this applies to localhost, multitenant database container system (MDC), and smart data access communication. Multiple hosts, dynamic tiering and system replication are not in the feature scope but, as stated in the Feature Scope Description document, they ‘are subject to change without prior notice’.
For server-side data encryption, another SSFS is used. This store protects the root keys for data volume encryption and for the internal data encryption service, currently used for:
- Database-internal secure credential store for outbound connections (for example, smart data access)
- SAP HANA XS security store API
- Private key store for secure client-server connections (for example, SAP HANA studio connections using SSL)
The figure below shows where the master and root keys are stored.
SSFS master keys and the different root keys are generated at installation time.
If you have downloaded SAP HANA express edition as a VM this means that your keys are not unique but are exactly the same as on all the other VM’s.
This is a similar situation to those customers who received SAP HANA as an appliance from a hardware vendor or hosting partner.
As mentioned in the SAP HANA Administration Guide, the Security Guide (see below under Help Portal) and also, for example, in the Checklist for Secure Handover, or SAP Note
2183624 – Potential information leakage using default SSFS master key in HANA, you need to change the encryption keys to ensure they are not known outside your organization.
So how can you do this? It is simple.
1. Watch the video
2. Run the script: https://github.com/saphanaacademy/HXE/tree/master/SSFS
WARNING!! On the server-plus-apps VM, a PSE certificate with name SAPXSUAASAML is stored in the database encrypted by the DPAPI root key. Generating a new DPAPI root key will delete the old key. As a result, you will no longer be able to access the XS Advanced applications.
Thank you for watching. Your comments are welcome.
This blog is part of a series:
Thank you for watching
The SAP HANA Academy provides free online video tutorials for the developers, consultants, partners and customers of SAP HANA.
Topics range from practical how-to instructions on administration, data loading and modeling, and integration with other SAP solutions, to more conceptual projects to help build out new solutions using mobile applications or predictive analysis.
For the full library, see SAP HANA Academy Library – by the SAP HANA Academy.
For the full list of blogs, see Blog Posts – by the SAP HANA Academy.