Product Information
SAP HANA Client-Side Data Encryption – by the SAP HANA Academy
Introduction
As we move our data to cloud storage and cloud database services, keeping our data save and protected from unauthorized access is obviously a high priority. To support this concern, the latest SAP HANA 2.0 SPS 03 release introduced a new security feature: client-side data encryption.
Client-side data encryption enables you to encrypt and decrypt column data using an encryption key accessible only by the SAP HANA client. Without client access, the data on the server cannot be decrypted.
If you like to learn how you can configure the SAP HANA client for client-side data encryption, how you can export, import and rotate security keys, and a range of other topics, check out the video tutorials below.
YouTube Playlist
All the video tutorials on the client-side data encryption topic are bundled in a single playlist on our channel:
What’s New?
In the first video, the concepts of client-side data encryption are explained.
Tutorial Video
Installation and Configuration
The SAP Common Crypto Library (libsapcrypto.so/sapcrypto.dll) and the sapgenpse(.exe) utility required for client-side encryption are included with the SAP HANA client.
For the latest version of the library, see
- SAP Downloads on the SAP ONE Support Portal – search for COMMONCRYPTOLIB
For the documentation, see
Tutorial Video
Getting Started with Client-Side Data Encryption
In the next two videos, we are going to set client-side encryption up.
For the code, see
For the documentation, see
- Getting Started With Client-Side Encryption
- Client-Side Data Encryption (SAP HANA Security Guide)
- Client-Side Data Encryption (SAP HANA Administration Guide)
Tutorial Video
Using DML with Client-Side Data Encryption
To insert or update data in the employees table, the business user must use prepared statements.
For the code, see
For the documentation, see
Tutorial Video
Using DDL with Client-Side Data Encryption
For the code, see
For the documentation, see
Tutorial Video
Rotate the Column Encryption Key
Part of the client-side encryption procedure is to rotate CEKs regularly and re-encrypt your data using the most current CEK. Key copies for the new CEK must be created for users who need access to data.
For the code, see
For the documentation, see
Tutorial Video
Exporting Client Key Pairs and Column Encryption Keys
You need to export (and backup, that is, store in a safe place) both the client key pairs and column encryption keys. Although a column encryption key (copy) will be encrypted with a particular key pair, you are not required to backup or store them together. You can always create a copy of the CEK for encryption with a new CPK.
For the code, see
For the documentation, see
Tutorial Video
Importing Client Key Pairs and Column Encryption Keys
Not surprisingly, importing client key pairs and column encryption keys is very similar to exporting.
For the code, see
For the documentation, see
Tutorial Video
HDB Key Store
For the code, see
For the documentation, see
Tutorial Video
Thank you for watching
The SAP HANA Academy provides free online video tutorials for the developers, consultants, partners and customers of SAP HANA.
Topics range from practical how-to instructions on administration, data loading and modeling, and integration with other SAP solutions, to more conceptual projects to help build out new solutions using mobile applications or predictive analysis.
For the full library, see SAP HANA Academy Library – by the SAP HANA Academy.
For the full list of blogs, see Blog Posts – by the SAP HANA Academy.
- Subscribe to our YouTube channel for updates
- Join us on LinkedIn: linkedin.com/in/saphanaacademy
- Follow us on Twitter: @saphanaacademy
- Facebook: @saphanaacademy
Dear Denys,
Thank you for excellent tutorials.
We have a S/4 HANA customer require us to provide a solution to encrypt some column of the standard S/4 HANA BP tables. Do you think using Client-side encryption is feasible for the S/4 HANA context?
How to configure the technical DB user from ABAP to access HANA?
And one thing that concern me the most, is when accessing those column, the prepared statement shall be used. as i know, the abap server are using openSQL and translated to DB SQL statement to execute on HANA, will those translated statements be prepared statements?
Looking forward for your reply.
Regards, Charlie
Dear Charlie,
Excellent question.
As you might have noticed when watching the videos, the “server-side”, the application logic, needs to be involved to implement client-side encryption (CSE) properly.
Unfortunately, column encryption is currently not supported in S4 scenarios.
Best,
Denys
Thanks for your reply.
Hi Denys,
We have HANA 2.0SP3 on a Linux on AWS and I read this forum since a couple of days, the nature of our business is payroll and HR and i am trying to perform a POC on client side data encryption.
We have existing HR tables PA0000, PA0001 etc and can I do this exercise on a sandbox with is on HANA 2.0 SP3 DB Server?
My questions are the following, I understand that data encryption and decryption take place on the client, so I have to install a SAP HANA client on windows machine, so if I install a sap hana client on my windows machine how can the encryption decryption take place to a column on the HR table which is residing on the SAP Application?
Regards,
Hi Sebastian,
As mentioned above, the business logic at the application layer typically needs to be coded for client-side encryption (CSE).Existing (SAP) applications are not compatible with CSE. Whether, when, and which SAP applications will provide support for CSE depends, amongst others, on customer demand.
Client-side encryption is currently primarily aimed at custom application development on HANA.
Note that the client could be and end-user client or the client on the middleware (application server) connecting to HANA.
Hi Dennis,
Any further information on this or do you suggest me creating a OSS message. ?
Regards,
Sebastian
Hi Sebastian,
I have updated my response with the information I have. If this does not answer your question(s), you can certainly try to contact SAP Support.