SAP HANA External Key Server – What Does It Mean?
This post is part of Transformational Tuesdays: A Series on SAP HANA Business Value from the SAP HANA Solution Management team celebrating 10 years of SAP HANA in 2020.
One of the new security feature announcements in SAP HANA 2.0 SPS 05 is support for an external key server. But what’s an external key server? In fact, what’s a key and how does it relate to SAP HANA?
Keys and key servers relate to encryption, something SAP HANA has supported for many years. But what exactly is encryption?
According to the Merriam-Webster dictionary, encryption is “a conversion of something (such as data) into a code or cipher”. If we encrypt this message:
“and he lived happily ever after to the end of his days”
the result might look something like this:
Not exactly easy to tell what the original message was when we look at the result. Of course, that’s the idea. Likewise, if we take the result message and decrypt it, meaning we convert it from its cipher form back to plain text, we should see the original message.
In order to encrypt (or decrypt) a message we need a key. In cryptography, an encryption (or decryption) key is typically a random sequence of bits used in conjunction with a cryptographic algorithm. We use the key to encrypt data, making it virtually impossible for a third party to use that data in a meaningful way without access to our key.
The encryption algorithm SAP HANA uses is called AES-256-CBC.
Now that you understand the basics of encryption and keys, how does this relate to SAP HANA? “I thought SAP HANA is an in-memory database, why are we talking about encryption?”
Isn’t SAP HANA an In-Memory Database?
Excellent question. Yes, SAP HANA is a true in-memory database. However, SAP HANA will periodically save changed data to persistent storage (called data volumes). Additionally, each time a transaction is committed it is written to what’s called a redo log, also stored persistently. If an SAP HANA server experiences a power failure, on start-up, the system will recreate the in-memory data from the data volumes and the redo log.
SAP HANA also creates backups of the data and log volumes.
The issue is that an attacker might gain access to the location where the data volumes, redo logs, or backups are stored and could potentially retrieve sensitive information. By automatically encrypting all of this data, it adds a further layer of security and protection for customers.
This encryption is supported for the SAP HANA system database and tenant databases. The associated encryption keys are stored as part of SAP HANA.
Local Secure Store
The SAP HANA data volumes, redo logs, and backups each has its own encryption key. Those keys need to be stored somewhere securely. That’s where the Local Secure Store (LSS) comes into play.
The LSS is a separate service and part of the SAP HANA installation. Its purpose is to store and manage the SAP HANA encryption keys securely while also creating a strong separation between system administration and encryption key management.
In addition to protecting the data volume, redo log, and backup encryption keys, the LSS also protects the password of the key backup and encryption configuration data.
The keys in the LSS are stored in what’s called the payload database.
External Key Server
“So what about this External Key Server?” I hear you ask. Well, the LSS can now be used with an external key management service (KMS), and the KMS can be used to store a master key (technically, it uses two keys, a private key and a public key) that encrypts the LSS’ payload database. A key server manages and serves cryptographic keys to users and programs.
SAP Data Custodian key management service is the first supported key server that LSS can connect. Some highlights:
- Cloud product, available as SaaS via subscription
- Customers control their keys and can restrict access
- Provides key generation, wrapping, rotation, and deletion
Supporting an external key server in SAP HANA 2.0 SPS 05, especially one as feature-rich as the SAP Data Custodian, adds tremendous control and monitoring capabilities to SAP customers of their critical SAP HANA encryption keys. With multiple cloud support and increased security, it might be time for another adventure and to start using an external key server.
For more information about SAP HANA server-side encryption refer to this SAP Help documentation: