SAP ASE New Feature in 16.0 SP03 PL06 release – Key Protection Using an External Keystore

From 16.0 SP03 PL06 release, SAP ASE can use the Hardware Security Module (HSM) as an external keystore to encrypt master keys. HSMs are physical devices that provide secure storage for encryption keys, called HSM keys. SAP ASE can use a single HSM key per SAP ASE instance to encrypt or decrypt master encryption keys present in any database.

To use an HSM key:

• Supply the necessary credentials to configure SAP ASE so that it can connect to the HSM device.
• Create a key in the device or use a key that is already present in the device to encrypt the master key.

Here’s an example of creating a new HSM key and using it to encrypt the master key:

1. Enable the usage of encryption keys:

sp_configure 'enable encrypted columns',1

2. Enable SAP ASE to store a key externally:

sp_configure 'external keystore', 0, 'hsm'

3. Specify the HSM credentials:

sp_encryption 'hsm_credential', 
'lib= libCryptoki2_64.so; pin=my8SeCret; slot=1'

4. Create a new HSM key without indicating a universally unique identifier (UUID) in the HSM device:

create encryption key hsm_key
	on external keystore 
	with 
		keylength 256 
		init_vector random

5. Create a master key encrypted with the newly created HSM key:

create encryption key master
with external key

With the indication of the external key clause, the created master key will be encrypted with the HSM key that was already created in the master database. If there is not an HSM key in the master database, SAP ASE reports errors.

If a master key was created by using a user password for encryption, you can use the alter encryption key command to encrypt the master key with the HSM key instead. For example:

alter encryption key master 
   with passwd 'its8Secret' 
   modify encryption with external key

In addition to the introduced functions, you can also drop the created HSM key and monitor the HSM key information. See Key Protection Using External Keystore for more details.