Data Volume Encryption Comes to Dynamic Tiering
Have you enabled data volume encryption on SAP HANA, and couldn’t create an extended store because that extended store couldn’t be encrypted? Or maybe you had to hold off on data volume encryption altogether because you have an extended store with your SAP HANA system.
Beginning with version 2.0, dynamic tiering now supports data volume encryption.
Dynamic tiering uses the same encryption root key as SAP HANA, though the HANA and extended stores each have their own database page encryption keys. This allows the encryption of your entire HANA database for improved security.
If your HANA database is already encrypted, any new extended store you then create is automatically encrypted, without needing to perform any additional steps or configurations.
The level of encryption in your new extended store is the same as that of SAP HANA database (AES-256 bit encryption), and everything over in the extended store database is encrypted, including all database files and the transaction log.You can enable data volume encryption on an extended store that already exists, but the process isn’t automatic, and involves performing a backup and recovery (see the steps below).
A few things to note:
- You can’t change the HANA persistence encryption state if you’ve already created extended storage:
- If your HANA database was not encrypted when you created extended storage, you can’t then encrypt everything together in one shot. Instead, you perform a backup and recovery into an encrypted database.
- If your HANA database with extended storage is all encrypted, you can’t just then turn off encryption. If for some reason you want to disable encryption, you’ll need to perform a backup and recovery into an unencrypted database.
- The Security editor lets you change the encryption key for SAP HANA, but you can’t use it for encrypted extended storage. If you need to change the page encryption key for your extended store, that’s done as part of a full data recovery to a target system that is enabled for encryption.
- You can’t restore backups of an SAP HANA database or an extended store that are earlier than SAP HANA 2.0 to a target system with encryption enabled.
- Point-in-time recovery isn’t supported if:
- The target system has encryption enabled, and the backup is of a source system without encryption enabled.
- The target system has encryption disabled, and the backup is of a source system with encryption enabled.
Encrypting your existing SAP HANA system that includes extended storage
If you already have an unencrypted SAP HANA system that uses extended storage (using dynamic tiering), you essentially perform a full backup and recovery, adding encryption in as part of the process.
As you do when you enable encryption for SAP HANA, perform a full data backup and recovery for extended storage, as follows:
- Perform a data backup for SAP HANA and the extended store.
- Uninstall your system (preferably overwriting the former data with random values)
- Reinstall your system.
- Drop the extended store and its associated objects by executing DROP EXTENDED STORAGE CASCADE
- Enable data volume encryption for the HANA database by executing:
ALTER SYSTEM PERSISTENCE ENCRYPTION ON; ALTER SYSTEM SAVEPOINT;
- You perform a full recovery of your system to re-create your extended store.
At this point, all data persisted to data volumes is encrypted in both the default store (SAP HANA) and the extended store (dynamic tiering). Use the M_PERSISTENCE_ENCRYPTION_STATUS monitoring view to see check the status of data volume encryption; it should show as “Encrypted.”
If for some reason you need to unencrypt your system, the process is similar to the above steps, by performing a backup and recovery.
Where to go for more information
The “Security Administration” chapter of the SAP HANA Dynamic Tiering Administration Guide contains more details on using data volume encryption with your extended store.
The SAP HANA Security Guide provides information on data storage security in general, as well as data volume encryption specifically.
The SAP HANA Administration Guide also covers how to enable data volume encryption in an existing SAP HANA system.