Session and Command-level On-demand Encryption in SAP Adaptive Server Enterprise
SAP ASE comes with several encryption options allowing you to comply with your security requirements. This blog will cover session and command level on-demand encryption for SAP ASE server.
On-demand encryption allows you to issue encrypted commands and system procedures as needed, for a full
isql session, and on an ad hoc basis for individual commands containing sensitive data.
Encrypt all of your commands in a session using the
--conceal command-line options.
In this example, the guest login encrypts the entire
isql -Uguest -P<password> -Smyase --command_encryption
Additionally, specifying the
--conceal command-line option hides and encrypts your input during the
isql -Uguest -P<password> -Smyase --conceal
--command_encryption when the
isql session contains sensitive data. Use
--conceal when you enter visually sensitive data (for example, passwords).
You can encrypt individual commands by adding
encrypt to the
go command terminator for
isql. Note that only the particular command will be encrypted; no subsequent commands are encrypted unless you have added
For example, this encrypted command modifies the password for a login from “master” to “password123”:
alter login test with password 'master' modify password 'password123' go encrypt
Using the @@prev_batch_encrypted variable to get the status of command encryption
You can use the
<@@prev_batch_encrypted> global variable to find out whether your previously executed commands were sent encrypted.
This global variable checks the encryption status of the most recently executed batch of commands in the current user session. A return of
0 indicates that the server received the command as plain text; a return of
1 indicates that the commands were received encrypted.
For more information, see documentation for SAP Adaptive Enterprise version 16.0 SP03 PL03 on the SAP Help Portal.