Introduction
As we move our data to cloud storage and cloud database services, keeping our data save and protected from unauthorized access is obviously a high priority. To support this concern, the latest SAP HANA 2.0 SPS 03 release introduced a new security feature: client-side data encryption.
Client-side data encryption enables you to encrypt and decrypt column data using an encryption key accessible only by the SAP HANA client. Without client access, the data on the server cannot be decrypted.
If you like to learn how you can configure the SAP HANA client for client-side data encryption, how you can export, import and rotate security keys, and a range of other topics, check out the video tutorials below.
YouTube Playlist
All the video tutorials on the client-side data encryption topic are bundled in a single playlist on our channel:
What's New?
In the first video, the concepts of client-side data encryption are explained.
Tutorial Video
https://www.youtube.com/watch?v=6ql1odUjsCY
Installation and Configuration
The SAP Common Crypto Library (libsapcrypto.so/sapcrypto.dll) and the sapgenpse(.exe) utility required for client-side encryption are included with the SAP HANA client.
For the latest version of the library, see
For the documentation, see
Tutorial Video
https://www.youtube.com/watch?v=wrcbiueS3j4
Getting Started with Client-Side Data Encryption
In the next two videos, we are going to set client-side encryption up.
For the code, see
For the documentation, see
Tutorial Video
https://www.youtube.com/watch?v=AuXXG6pF-7c
https://www.youtube.com/watch?v=Ma-0tVV4ROo
Using DML with Client-Side Data Encryption
To insert or update data in the employees table, the business user must use prepared statements.
For the code, see
For the documentation, see
Tutorial Video
https://www.youtube.com/watch?v=ei-NsCi4yXk
Using DDL with Client-Side Data Encryption
For the code, see
For the documentation, see
Tutorial Video
https://www.youtube.com/watch?v=4WyhrDGho6s
Rotate the Column Encryption Key
Part of the client-side encryption procedure is to rotate CEKs regularly and re-encrypt your data using the most current CEK. Key copies for the new CEK must be created for users who need access to data.
For the code, see
For the documentation, see
Tutorial Video
https://www.youtube.com/watch?v=W2xyWo2bQLw
Exporting Client Key Pairs and Column Encryption Keys
You need to export (and backup, that is, store in a safe place) both the client key pairs and column encryption keys. Although a column encryption key (copy) will be encrypted with a particular key pair, you are not required to backup or store them together. You can always create a copy of the CEK for encryption with a new CPK.
For the code, see
For the documentation, see
Tutorial Video
https://www.youtube.com/watch?v=AIkyHS7UBYs
Importing Client Key Pairs and Column Encryption Keys
Not surprisingly, importing client key pairs and column encryption keys is very similar to exporting.
For the code, see
For the documentation, see
Tutorial Video
https://www.youtube.com/watch?v=9aeMDtoNUUE
HDB Key Store
For the code, see
For the documentation, see
Tutorial Video
https://www.youtube.com/watch?v=xD1NVukEUYc
Thank you for watching
The
SAP HANA Academy provides free online video tutorials for the developers, consultants, partners and customers of SAP HANA.
Topics range from practical how-to instructions on administration, data loading and modeling, and integration with other SAP solutions, to more conceptual projects to help build out new solutions using mobile applications or predictive analysis.
For the full library, see
SAP HANA Academy Library - by the SAP HANA Academy.
For the full list of blogs, see
Blog Posts - by the SAP HANA Academy.