Skip to Content
Product Information

SAP HANA Client-Side Data Encryption – by the SAP HANA Academy

Introduction

As we move our data to cloud storage and cloud database services, keeping our data save and protected from unauthorized access is obviously a high priority. To support this concern, the latest SAP HANA 2.0 SPS 03 release introduced a new security feature: client-side data encryption.

Client-side data encryption enables you to encrypt and decrypt column data using an encryption key accessible only by the SAP HANA client. Without client access, the data on the server cannot be decrypted.

If you like to learn how you can configure the SAP HANA client for client-side data encryption, how you can export, import and rotate security keys, and a range of other topics, check out the video tutorials below.

YouTube Playlist

All the video tutorials on the client-side data encryption topic are bundled in a single playlist on our channel:

 

What’s New?

In the first video, the concepts of client-side data encryption are explained.

Tutorial Video

Installation and Configuration

The SAP Common Crypto Library (libsapcrypto.so/sapcrypto.dll) and the sapgenpse(.exe) utility required for client-side encryption are included with the SAP HANA client.

For the latest version of the library, see

For the documentation, see

Tutorial Video

Getting Started with Client-Side Data Encryption

In the next two videos, we are going to set client-side encryption up.

For the code, see

For the documentation, see

Tutorial Video

Using DML with Client-Side Data Encryption

To insert or update data in the employees table, the business user must use prepared statements.

For the code, see

For the documentation, see

Tutorial Video

Using DDL with Client-Side Data Encryption

For the code, see

For the documentation, see

Tutorial Video

Rotate the Column Encryption Key

Part of the client-side encryption procedure is to rotate CEKs regularly and re-encrypt your data using the most current CEK. Key copies for the new CEK must be created for users who need access to data.

For the code, see

For the documentation, see

Tutorial Video

Exporting Client Key Pairs and Column Encryption Keys

You need to export (and backup, that is, store in a safe place) both the client key pairs and column encryption keys. Although a column encryption key (copy) will be encrypted with a particular key pair, you are not required to backup or store them together. You can always create a copy of the CEK for encryption with a new CPK.

For the code, see

For the documentation, see

Tutorial Video

Importing Client Key Pairs and Column Encryption Keys

Not surprisingly, importing client key pairs and column encryption keys is very similar to exporting.

For the code, see

For the documentation, see

Tutorial Video

HDB Key Store

For the code, see

For the documentation, see

Tutorial Video

Thank you for watching

The SAP HANA Academy provides free online video tutorials for the developers, consultants, partners and customers of SAP HANA.

Topics range from practical how-to instructions on administration, data loading and modeling, and integration with other SAP solutions, to more conceptual projects to help build out new solutions using mobile applications or predictive analysis.

For the full library, see SAP HANA Academy Library – by the SAP HANA Academy.

For the full list of blogs, see Blog Posts – by the SAP HANA Academy.

7 Comments
You must be Logged on to comment or reply to a post.
  • Dear Denys,

    Thank you for excellent tutorials.

    We have a S/4 HANA customer require us to provide a solution to encrypt some column of the standard S/4 HANA BP tables. Do you think using Client-side encryption is feasible for the S/4 HANA context?

    How to configure the technical DB user from ABAP to access HANA?

    And one thing that concern me the most, is when accessing those column, the prepared statement shall be used. as i know, the abap server are using openSQL and translated to DB SQL statement to execute on HANA, will those translated statements be prepared statements?

    Looking forward for your reply.

    Regards, Charlie

    • Dear Charlie,

      Excellent question.

      As you might have noticed when watching the videos, the “server-side”, the application logic, needs to be involved to implement client-side encryption (CSE) properly.

      Unfortunately, column encryption is currently not supported in S4 scenarios.

      Best, 
      Denys

  • Hi Denys,

    We have HANA 2.0SP3 on a Linux on AWS and I read this forum since a couple of days, the nature of our business is payroll  and HR and i am trying to perform a POC on client side data encryption.

    We have existing HR tables  PA0000, PA0001 etc and can I do this exercise on a sandbox with is on HANA 2.0 SP3 DB Server?

    My questions are the following, I understand that data encryption and decryption take place on the client, so I have to install a SAP HANA client on windows machine, so if I install a sap hana client on my windows machine how can the encryption decryption take place to a column on the HR table which is residing on the SAP Application?

    Regards,

     

    • Hi Sebastian,

      As mentioned above, the business logic at the application layer typically needs to be coded for  client-side encryption (CSE).Existing (SAP) applications are not compatible with CSE. Whether, when, and which SAP applications will provide support for CSE depends, amongst others, on customer demand.

      Client-side encryption is currently primarily aimed at custom application development on HANA. 

      Note that the client could be and end-user client or the client on the middleware (application server) connecting to HANA. 

    • Hi Sebastian,

      I have updated my response with the information I have. If this does not answer your question(s), you can certainly try to contact SAP Support.