Skip to Content
Technical Articles
Author's profile photo Saroop Reddy Chidirala

SAP HANA Database Encryption

SAP HANA ENCRYPTION

INTRODUCTION

SAP HANA provides full support for data-at-rest encryption to secure your data.

SAP HANA is an in-memory database, and most of the data is in the main memory for maximum performance. This helps in processing large data at a very high speed with less administrative effort. However, data is automatically saved from memory to disk at regularly to ensure that the database can be restored to its most recent committed state. Here, all data changes are also captured in redo log entries.

DATA VOLUME ENCRYPTION

Data volume encryption is available from SAP HANA 1.0 SP12.  This protects the data area on the disk, i.e., all the data that resides under /hana/data/<SID>

This encryption uses AES-256-CBC Algorithm and 256-bit page encryption keys to encrypt and decrypt the data.

As shown here, data is encrypted while it is being saved on to the disk, and it is decrypted when it is being loaded into the memory.

LOG VOLUME ENCRYPTION

Redo log encryption protects the log area i.e., the logs that are created under /hana/log/SID.

This feature is available only from HANA 2.0 SP00.

Like data volume encryption, log volume encryption also uses AES-256-CBC Algorithm and 256-bit page encryption keys.

BACKUP ENCRYPTION

This feature is available from HANA 2.0 SP01. Backup encryption protects the contents of data backup, log backups and delta/ differential backups which includes snapshot backups as well. Backup encryption can be enabled for both backups written to the file system or backup written to the third-party backup tool through backint for SAP HANA interface.

A third-party backup tool can also be used, in this case, you have a choice between SAP HANA Encryption or tool-side backup encryption. If full protection in the persistence layer is required, SAP recommends that you use all the three backups.

KEYS USED IN SAP HANA ENCRYPTION

  1. Instance SSFS Master Key
  2. PKI SSFS Key.
  3. Data Volume Root Key
  4. Log Volume Root Key
  5. Backup Volume Root Key

HOW TO ENABLE AND DISABLE ENCRYPTION?

There are two ways in which you can enable and disable encryption, one is through SAP HANA Studio by use of various SQL commands or statements. The other option is to do it through SAP HANA COCKPIT.

Enable and Disable Encryption using SAP HANA Studio

Stop your HANA DB.

SAP HANA provides two keys with installation which are

  1. SSFS Keys à These keys reside in /hana/shared/<SID>/global/hdb/security/ssfs. These instance SSFS keys helps in protecting the root keys used for all data-at-rest encryption services and the internal application encryption service.
  2. PKI SSFS à system PKI SSFS helps protect system-internal root certificates required for secure internal communication. These keys can be found under /usr/sap/<SID>/SYS/global/security/rsecssfs/.

If your HANA DB is pre-installed or delivered by any partner, then SAP recommends to change the master keys that are created during installation.

  1. Encrypt SSFS Keys:

Take a backup of existing SSFS keys which will be at /hana/shared/<SID>/global/hdb/security

Switch to sidadm at OS level and execute below commands

export RSEC_SSFS_DATAPATH=/usr/sap/SAR/SYS/global/hdb/security/ssfs

export RSEC_SSFS_KEYPATH=/usr/sap/SAR/SYS/global/hdb/security/ssfs

rsecssfx changekey $(rsecssfx generatekey -getPlainValueToConsole)

Go to path /usr/sap/SAR/SYS/global/hdb/custom/config and add below lines in global.ini file.

ssfs_key_file_path = /usr/sap/SAR/SYS/global/hdb/security/ssfs

Encrypt PKI SSFS Keys:

export RSEC_SSFS_DATAPATH=/usr/sap/SAR/SYS/global/security/rsecssfs/data

export RSEC_SSFS_KEYPATH=/usr/sap/SAR/SYS/global/security/rsecssfs/key

rsecssfx changekey $(rsecssfx generatekey -getPlainValueToConsole)

Now start your HANA DB and give system privilege ENCRYPTION ROOT KEY ADMIN to user and run below SQL command.

Whenever HANA DB is installed or a tenant DB is created, unique keys will be created, and encryption will be disabled.

From HANA studio, To check Initial Keys select * from ENCRYPTION_ROOT_KEYS;

To check encryption status select * from SYS.M_ENCRYPTION_OVERVIEW

How to enable Encryption on SYSTEM DB

Set the Root Key Backup Password

This root key backup password is required to decrypt the root key backup file while any restore or recovery is being performed. This can be done via HANA Studio or Cockpit.

ALTER SYSTEM SET ENCRYPTION ROOT KEYS BACKUP PASSWORD <PASSPHRASE>

Once the password is created, this will be stored in SSFS along with other keys.

To validate the password run below SQL statement.

ALTER SYSTEM VALIDATE ENCRYPTION ROOT KEYS BACKUP PASSWORD “Welcome.1”

If password is wrong output will be as below. 

Could not execute ‘ALTER SYSTEM VALIDATE ENCRYPTION ROOT KEYS BACKUP PASSWORD “Welcome1″‘ in 7 ms 575 µs .

SAP DBTech JDBC: [703]: incorrect root keys backup password: Validation of the Root Keys Backup Password failed.

Generate New Root Keys

Below are the unique keys which are created during installation.

select * from ENCRYPTION_ROOT_KEYS;

In order to change the root key, the below commands need to be executed based on the encryption.

  • Data Volume encryption –> ALTER SYSTEM PERSISTENCE ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE

  • Redo log encryption –>  ALTER SYSTEM LOG ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE
  • Data & Redo log –> ALTER SYSTEM BACKUP ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE

Statement ‘ALTER SYSTEM BACKUP ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE’

successfully executed in 2.415 seconds  (server processing time: 2.414 seconds) – Rows Affected: 0

To verify the above step

select * from ENCRYPTION_ROOT_KEYS. Keys generated above will be in PREACTIVE status.

Back Up Root Keys

Once the new keys are created, backup them from OS level. Before taking the backup of keys, find the dbid using below SQL statement.

SELECT DATABASE_NAME, CASE WHEN (DBID = ” AND DATABASE_NAME = ‘SYSTEMDB’) THEN 1 WHEN (DBID = ” AND DATABASE_NAME <> ‘SYSTEMDB’) THEN 3 ELSE TO_INT(DBID) END DATABASE_ID FROM (SELECT DISTINCT DATABASE_NAME, SUBSTR_AFTER (SUBPATH,’.’) AS DBID FROM SYS_DATABASES.M_VOLUMES)

Now with hanasidadm go to /usr/sap/<SID>/HDB00/exe and then run below command

./hdbnsutil -backupRootKeys <filename>.rkb –dbid=dbid –type=’ALL’

Dbid –> Database ID

Type=ALL –>  One of these values can be given- ALL, DATA, LOG, BACKUP. If we don’t give pass this then it will take backup of all keys related to Data/Log/Backup volumes.

To validate the root key backup run below command and enter the password which has been generated in Root Key Backup step.

Go to /usr/sap/SAR/HDB00/exe and then run below command

./hdbnsutil -validateRootKeysBackup <location>/<filename.rkb>

Then enter the password that has been given in Root Key Backup step.

Backup of the keys can be taken from HANA Studio as well.

SELECT ENCRYPTION_ROOT_KEYS_EXTRACT_KEYS (‘PERSISTENCE, APPLICATION, BACKUP, LOG’) FROM DUMMY

Export the result with extension as .rkb and save them at secure external location

Now we can see all the keys backup is TRUE.

Activate New Root Keys

Once the backup of new encryption root keys is taken, the keys need to be activated.

Activate new root keys by following commands

  • Data volume encryption à ALTER SYSTEM PERSISTENCE ENCRYPTION ACTIVATE NEW ROOT KEY

Statement ‘ALTER SYSTEM PERSISTENCE ENCRYPTION ACTIVATE NEW ROOT KEY’

successfully executed in 2.419 seconds  (server processing time: 2.418 seconds) – Rows Affected: 0

  • Redo log encryption à ALTER SYSTEM LOG ENCRYPTION ACTIVATE NEW ROOT KEY

Statement ‘ALTER SYSTEM LOG ENCRYPTION ACTIVATE NEW ROOT KEY’

successfully executed in 2.419 seconds  (server processing time: 2.418 seconds) – Rows Affected: 0

  • Data and log backup encryption à ALTER SYSTEM BACKUP ENCRYPTION ACTIVATE NEW ROOT KEY

Statement ‘ALTER SYSTEM BACKUP ENCRYPTION ACTIVATE NEW ROOT KEY’

successfully executed in 2.419 seconds  (server processing time: 2.418 seconds) – Rows Affected: 0

***After activating the root keys ,take a backup of keys and validate the new key file.

We can validate whether keys are activated, and a backup of keys is done.

If required, take backup of keys as shown above.

Enabling Encryption on Data and Log Volumes

Enabling ENCRYPTION on:

  • Data Volume –> ALTER SYSTEM PERSISTENCE ENCRYPTION ON

If you enable encryption in an operational database, only the pages in use in the data volumes are encrypted. Pages in data volumes that are not in use may still contain old content, and are only overwritten and encrypted over time. This means that your data in data volumes will only be fully encrypted after some delay. If your DB is huge then it is recommended to take a backup (after encryption) and then restore it.

Statement ‘ALTER SYSTEM PERSISTENCE ENCRYPTION ON’

successfully executed in 2.408 seconds  (server processing time: 2.408 seconds) – Rows Affected: 0

  • Log Volume –> ALTER SYSTEM LOG ENCRYPTION ON

Redo log entries that are created after encryption are encrypted. Redo log files that were created before encryption was enabled are not encrypted and they will be encrypted when they are overwritten.

Statement ‘ALTER SYSTEM LOG ENCRYPTION ON’

successfully executed in 2.408 seconds  (server processing time: 2.408 seconds) – Rows Affected: 0

  • Backup Volume –> ALTER SYSTEM BACKUP ENCRYPTION ON

We cannot enable or disable encryption for a single Full/Incremental/log backup. Backups which were taken before encryption will still be in unencrypted format only.

Statement ‘ALTER SYSTEM BACKUP ENCRYPTION ON’

successfully executed in 2.408 seconds  (server processing time: 2.408 seconds) – Rows Affected: 0

Now validate the encryption status of database.

  • Enabling Encryption on Initial Tenant DB (created with installation) or existing Tenant:

Perform same steps as SYSTEM DB on the initial tenant DB or running tenants

  • Set the backup password for root key backup.
  • Change the root keys for all encryption services (DATA/Log/Backup). As part of this step ,Generate new keys without Activate, Backup the root keys, Activate the Root keys and backup the root keys.
  • Enable the Encryption for Data/Log/Backup.

Enabling Encryption on subsequent Tenant DB:

Below are the steps to be performed to enable encryption on newly created tenant DB.

  • Set password for root key backup.
  • Backup the root keys
  • Enable the encryption for Data/Log/Backup.

How to change Keys:

It is always highly recommended to change the keys regularly as per customer security policy. Below is the procedure to change the keys

  1. a) Generate new keys without Activate.
  2. b) Back up new keys.
  3. c) Activate new keys.
  4. d) Back up activated keys

Enable and Disable Encryption from HANA Cockpit

Login to HANA Cockpit and ensure the DB’s are added and correct credentials are maintained

Click on Data Encryption Tile

Click on Manage Keys

Below keys are generated during installation. Click Change Root Keys

Enter the password and ensure that this password is remembered as this will be needed when the DB needs to be restored/recovered.

Select which service root keys that needs to be changed. In this step it will generate new keys but will not activate them yet.

Download the keys and keep it in a safe location.

Once keys are downloaded in previous step, select yes and click Activate Root Keys. This step will now activate the new keys that have been generated in the previous step.

Now new keys are generated for Data/Log/Backup volumes. Click on Backup root Keys, this will download the root keys backup of activated keys and ensure that these keys are kept very safe as these keys need to be imported on target DB during restore.

Once downloaded, if you want to validate the keys then copy the .rbd files to OS level and run below commands.

cd /usr/sap/<sid>/<HDBinstance_no>/exe

./hdbnsutil -validateRootKeysBackup <filename>

This will ask for password, give the password that has been set in Step 1

Now enable the Encryption. To do this go to home page where Data Encryption tile can be seen and click on buttons highlighted below.

Similarly do it for log and backup volume as per your scenario.

Now click on Data Encryption tile to see the status.

Enabling Encryption on Initial Tenant DB(created with installation) or existing Tenant

If you have a Tenant DB which is installed during installation or in all existing tenants, follow the same steps as performed for SYSTEM DB to enable encryption.

For further additional tenants which are created post encryption was enabled in SYSTEM DB, follow the below steps. In my case D12 is the new tenant I have created after enabling encryption on System DB D11 and Tenant DB D11.

Connect to Tenant DB from cockpit and click on Data Encryption tile and click on Manage Keys.

Click on Data Encryption tile

Click on Manage Keys

  1. Click on Set Root Key Backup Password

  1. Click on Backup Root Keys, this will download the backup file.

  1. Now go to Data Encryption tile on tenant homepage and enable the tabs as per your scenario.

Enabling Encryption Scenario from Single Container to Multi-Container Conversion

If Encryption is already enabled on Single Container, the Tenant DB Inherits the Encrypted.

Encryption on System DB needs to be configured manually if required.

  • Disable Encryption

Set the buttons to OFF to Disable Encryption

  • Disable encryption

Encryption can be disabled as required by running following statements.

  • Data volume: ALTER SYSTEM PERSISTENCE ENCRYPTION OFF
  • Redo log volume: ALTER SYSTEM LOG ENCRYPTION OFF
  • Backup Volume: ALTER SYSTEM BACKUP ENCRYPTION OFF

By default, enable and disable of Encryption can be done from respective DB itself. We can enable or disable encryption of a tenant DB from System Database by passing control to SYSTEM DB. Tenant DB can take back the control whenever it wants. As highlighted, respective tenant DB can only enable or disable encryption of that tenant DB.

  • To pass the control to SYSTEM DB, from where encryption of tenant can be enabled or disabled, run below SQL statement.

ALTER SYSTEM ENCRYPTION CONFIGURATION CONTROLLED BY SYSTEM DATABASE

  • To take back control from SYSTEM DB then run the below SQL statement from system DB.

ALTER DATABASE <database_name> ENCRYPTION CONFIGURATION CONTROLLED BY LOCAL DATABASE

  • To enable and disable by parameter database_initial_encryption section of global.ini configuration file.

persistence_encryption (default: off)

log_encryption (default: off)

backup_encryption (default: off)

encryption_config_control (default: local_database)

  • To enable or disable encryption for a tenant DB from system DB then below are the SQL statements

ALTER DATABASE <database_name> PERSISTENCE ENCRYPTION ON

ALTER DATABASE <database_name> LOG ENCRYPTION ON

ALTER DATABASE <database_name> BACKUP ENCRYPTION ON

 

For More information please refer to below blogs:

https://blog.sap-press.com/learn-sap-hana-data-encryption

https://help.sap.com/docs/SAP_HANA_PLATFORM/6b94445c94ae495c83a19646e7c3fd56/355291043bee4053af4b848fbff9965f.html

 

 

 

 

 

Assigned Tags

      3 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Priyanka Puvvada
      Priyanka Puvvada

      Very informative blog!

      Author's profile photo Mustafa Bensan
      Mustafa Bensan

      Since SAP HANA Studio is being deprecated, I imagine the future-proof approach for configuring encryption would be to use the SAP HANA Cockpit.

      Author's profile photo Saroop Reddy Chidirala
      Saroop Reddy Chidirala
      Blog Post Author

      Step by step process to enable Encryption from HANA Cockpit are also mentioned in the blog.