Purpose
The purpose of this community blog is to cover the detailed plan for HANA Database Encryption.
Introduction:
There are two ways in which you can enable and disable encryption.
SAP HANA Studio SAP HANA COCKPIT
SAP HANA features encryption services for encrypting data at rest, as well as an internal encryption service available to applications with data encryption requirements.
1. Data-at-Rest Encryption:
To protect data saved to disk from unauthorized access at operating system level, the SAP HANA database supports data encryption in the persistence layer for the following types of data:
Data volumesRedo log volumesData and log backups
2. Internal Encryption:
An internal encryption service is used to encrypt sensitive application data. This includes credentials required by SAP HANA for outbound connections, private keys of the SAP HANA server stored in the database, and data in secure stores defined by developers of SAP HANA XS applications (classic or advanced) or other applications (through SQL).
Note:
SAP HANA has 2 SSFS keys:
1. SSFS Keys -> These instance SSFS keys helps in protecting the root keys used for all data-at-rest encryption services and the internal application encryption service.
These keys stored in /usr/sap/<SID>/SYS/global/hdb/security/ssfs.
Within the folder location, you will find two files: SSFS_<SID>.DAT and SSFS_<SID>.KEY.
2. PKI SSFS -> system PKI SSFS helps protect system-internal root certificates required for secure internal communication.
The system PKI SSFS key stored in /usr/sap/<SID>/SYS/global/security/rsecssfs/data
Within the folder location, you will find two files: SSFS_<SID>.DAT and SSFS_<SID>.KEY.
3. Flow of Encryption:
4. Encryption Control
By default, encryption configuration is controlled by the tenant database, but the control can be switched to the system database, or the system database can switch control back to the tenant database.
To see which database is controlling encryption configuration for a tenant database, you can query the system view SYS.M_ENCRYPTION_OVERVIEW.
From the system database, you can query the system view SYS_DATABASES.M_ENCRYPTION_OVERVIEW.
If the value of this parameter is local_database (default), then only the tenant database administrator can enable or disable encryption from the tenant database.If the value is system_database, then only the system database administrator can enable or disable encryption from the system database.
5. Switching Encryption Control in Existing Tenant Databases
If the tenant database controls encryption configuration, the tenant database administrator can hand over this control to the system administrator by executing the following ALTER SYSTEM statement:
ALTER SYSTEM ENCRYPTION CONFIGURATION CONTROLLED BY SYSTEM DATABASE
If the system database controls encryption configuration, the system database administrator can hand it over to the tenant database administrator by executing the following ALTER DATABASE statement:
ALTER DATABASE <database_name> ENCRYPTION CONFIGURATION CONTROLLED BY LOCAL DATABASE
For simplicity, the system database administrator can hand over control to all tenants at once by executing the following statement.
ALTER SYSTEM ENCRYPTION CONFIGURATION CONTROLLED BY LOCAL DATABASES
6. Secure Store for Encryption Root Keys
SAP HANA uses the configured secure store to protect the following:
The root keys used for:Data volume encryptionRedo log encryptionData and log backup encryptionInternal application encryption service of the databaseThe password of the root key backupEncryption configuration information
These root keys protect all encryption keys (and data) used in the SAP HANA database from unauthorize access.
The system database and all tenant databases have their own encryption root keys.
Prerequisites:
1) Database backup (Systemdb & Tenantdb) must be taken before encryption.
Systemdb Backup:
Tenantdb Backup:
2) Have the credentials of the operating system user (<sid>adm) that was created when the system was installed.
3) ENCRYPTION ROOT KEY ADMIN privilege should be there for the user.
4) Take backup of existing SSFS keys.
5) Whenever HANA DB is installed or a tenant DB is created, unique keys will be created, and encryption will be disabled.
From HANA studio, To check Initial Keys use query:
select * from ENCRYPTION_ROOT_KEYS;
Systemdb:
Tenantdb:
To check encryption status, use query:
select * from SYS.M_ENCRYPTION_OVERVIEW;
Systemdb:
Tenantdb:
In the above screenshot we can see the encryption status is already active.
From HANA 2.0 SPS07 encryption is enabled by default during the installation. Refer below screenshot.
Reason behind doing the encryption on already encrypted database is:
If your HANA DB is pre-installed or delivered by any partner, then SAP recommends changing the master keys that are created during installation.
6) Shut down the SAP HANA system.
Encryption configuration:
1) Change the SSFS Master Keys
change the SSFS master keys using the command line tool rsecssfx, which is installed with SAP HANA.
Procedure:
1) Log on to the SAP HANA system host as the operating system user, <sid>adm.
2) Take a backup of existing SSFS keys and PKI SSFS keys.
SSFS Keys backup: /usr/sap/<SID>/SYS/global/hdb/security/ssfs
PKI SSFS keys backup: /usr/sap/<SID>/SYS/global/security/rsecssfs/
3) Re-encrypt the instance SSFS keys with a new key using below commands:
setenv RSEC_SSFS_DATAPATH /usr/sap/<SID>/SYS/global/hdb/security/ssfs
setenv RSEC_SSFS_KEYPATH /usr/sap/<SID>/SYS/global/hdb/security/ssfs
rsecssfx changekey `rsecssfx generatekey -getPlainValueToConsole`
Go to path /usr/sap/<SID>/SYS/global/hdb/custom/config and configure the specified key file location in the global.ini configuration file.
[cryptography]
ssfs_key_file_path = /usr/sap/<SID>/SYS/global/hdb/security/ssfs
4) Re-encrypt the system PKI SSFS with a new key using the following command:
setenv RSEC_SSFS_DATAPATH /usr/sap/<SID>/SYS/global/security/rsecssfs/data
setenv RSEC_SSFS_KEYPATH /usr/sap/<SID>/SYS/global/security/rsecssfs/key
echo $RSEC_SSFS_DATAPATH
echo $RSEC_SSFS_KEYPATH
rsecssfx changekey `rsecssfx generatekey -getPlainValueToConsole`
5) Restart the SAP HANA Database.
Encryption on Systemdb
2) Set the Root Key Backup Password
The root key backup password is required to securely back up the root keys of the database and subsequently to restore the backed-up root keys during data recovery.
Procedure:
1) Set the root key backup password with the following SQL statement.
ALTER SYSTEM SET ENCRYPTION ROOT KEYS BACKUP PASSWORD <passphrase>
The length and layout of the password must be in line with the database’s password policy.
2) To verify that the password you have is the same as the one that the system uses when creating new root key backups, use the statement below:
ALTER SYSTEM VALIDATE ENCRYPTION ROOT KEYS BACKUP PASSWORD <passphrase>
Note:
If the root key backup already has a password, it will be overwritten.In a system-replication configuration, set the root key backup password in the primary system only. The password will be propagated to all secondary systems. The secondary systems must be running and replicating.The password is set and stored in the secure store together with the SAP HANA encryption root keys and encryption-related configuration. You must provide this password to import root keys from the backup into the database before starting a database recovery. All root key backups taken after the password is set use this password to protect the backup files.The password should also be stored in a separate safe location. You will need to enter it to restore the secure store content before a database recovery. Losing this password may result in the database being unrecoverable.
3) Generate new root keys
1) Use below command to check the unique keys which are created during installation.
select * from ENCRYPTION_ROOT_KEYS;
Systemdb:
2) Generate new root keys for all encryption services using the following SQL statements:
Encryption service
SQL Statement
Data volume encryption
ALTER SYSTEM PERSISTENCE ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE
Redo log encryption
ALTER SYSTEM LOG ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE
Data and log backup encryption
ALTER SYSTEM BACKUP ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE
Internal application encryption
ALTER SYSTEM APPLICATION ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE
Data volume encryption:
Same way we must execute above mentioned commands for redo log, data backup, log backup and internal encryption.
3) To verify the creation of new root keys, use below command. New keys which are generated will be in PREACTIVE status.
select * from ENCRYPTION_ROOT_KEYS;
4) Back up all root keys.
After you have generated new root keys, you must back up all root keys.
i) In the system database, execute the below SQL statement.
BACKUP ENCRYPTION ROOT KEYS USING FILE (‘backup001’)
ii)The backup file will gets saved at cd ${DIR_INSTANCE}/backup/sec path.
Save the root key backup file to a secure location. If this file is lost, it may not be possible to recover the database.
iii) To validate the backup file on the SAP HANA server as operating system user <sid>adm use the following in the hdbnsutil tool.
Go to /usr/sap/<SID>/HDB<nn>/exe and then run below command.
./hdbnsutil -validateRootKeysBackup /usr/sap/<SID>/HDB<nn>/backup/sec/SYSTEMDB/backup001_rootkeys
4) Now we can see all the keys backup is TRUE use below command.
select * from ENCRYPTION_ROOT_KEYS;
5) Activate new root keys.
Activate new root keys so that they can be used to encrypt new data.
1) Activate the new root keys by executing the following SQL statements:
Encryption Service
Statement
Data volume encryption
ALTER SYSTEM PERSISTENCE ENCRYPTION ACTIVATE NEW ROOT KEY
Redo log encryption
ALTER SYSTEM LOG ENCRYPTION ACTIVATE NEW ROOT KEY
Data and log backup encryption
ALTER SYSTEM BACKUP ENCRYPTION ACTIVATE NEW ROOT KEY
Internal application encryption
ALTER SYSTEM APPLICATION ENCRYPTION ACTIVATE NEW ROOT KEY
a) Data volume encryption –>
ALTER SYSTEM PERSISTENCE ENCRYPTION ACTIVATE NEW ROOT KEY
Same way we must activate root keys for redo log, data backup, log backup and internal encryption.
2) We can validate whether keys are activated, and a backup of keys is done use below command.
select * from ENCRYPTION_ROOT_KEYS;
6) Enable encryption
Note:
1) To enable encryption for a tenant database, you know whether encryption configuration is controlled by the tenant database or the system database:
If the tenant database controls encryption configuration, encryption can only be enabled or disabled directly in the tenant database and not from the system database.If the system database controls encryption configuration, encryption can only be enabled or disabled using SQL from the system database.
Procedure:
1) Enable the required encryption service using the SAP HANA cockpit (tenant database control only) or the following SQL statements:
If the tenant database has control used below commands:
Data volume encryptionALTER SYSTEM PERSISTENCE ENCRYPTION ONRedo log encryptionALTER SYSTEM LOG ENCRYPTION ONBackup encryptionALTER SYSTEM BACKUP ENCRYPTION ON
If the system database has control use below commands:
Data volume encryptionALTER DATABASE <database_name> PERSISTENCE ENCRYPTION ONRedo log encryptionALTER DATABASE <database_name> LOG ENCRYPTION ONBackup encryptionALTER DATABASE <database_name> BACKUP ENCRYPTION ON
Data volume encryption:
Backup Encryption:
Redo Log encryption:
2) Now validate the encryption status of database.
select * from ENCRYPTION_ROOT_KEYS;
Note:
i) Follow the steps from 2 to 6 to enable encryption on tenant database.
ii) In a system-replication configuration, enable (or disable) encryption in the primary system only. The setting will be propagated to all secondary systems. The secondary systems must be running and replicating.
Summary:
PurposeThe purpose of this community blog is to cover the detailed plan for HANA Database Encryption. Introduction:There are two ways in which you can enable and disable encryption. SAP HANA Studio SAP HANA COCKPITSAP HANA features encryption services for encrypting data at rest, as well as an internal encryption service available to applications with data encryption requirements. 1. Data-at-Rest Encryption:To protect data saved to disk from unauthorized access at operating system level, the SAP HANA database supports data encryption in the persistence layer for the following types of data:Data volumesRedo log volumesData and log backups 2. Internal Encryption:An internal encryption service is used to encrypt sensitive application data. This includes credentials required by SAP HANA for outbound connections, private keys of the SAP HANA server stored in the database, and data in secure stores defined by developers of SAP HANA XS applications (classic or advanced) or other applications (through SQL).Note:SAP HANA has 2 SSFS keys:1. SSFS Keys -> These instance SSFS keys helps in protecting the root keys used for all data-at-rest encryption services and the internal application encryption service.These keys stored in /usr/sap/<SID>/SYS/global/hdb/security/ssfs.Within the folder location, you will find two files: SSFS_<SID>.DAT and SSFS_<SID>.KEY.2. PKI SSFS -> system PKI SSFS helps protect system-internal root certificates required for secure internal communication.The system PKI SSFS key stored in /usr/sap/<SID>/SYS/global/security/rsecssfs/dataWithin the folder location, you will find two files: SSFS_<SID>.DAT and SSFS_<SID>.KEY. 3. Flow of Encryption: 4. Encryption ControlBy default, encryption configuration is controlled by the tenant database, but the control can be switched to the system database, or the system database can switch control back to the tenant database.To see which database is controlling encryption configuration for a tenant database, you can query the system view SYS.M_ENCRYPTION_OVERVIEW.From the system database, you can query the system view SYS_DATABASES.M_ENCRYPTION_OVERVIEW.If the value of this parameter is local_database (default), then only the tenant database administrator can enable or disable encryption from the tenant database.If the value is system_database, then only the system database administrator can enable or disable encryption from the system database. 5. Switching Encryption Control in Existing Tenant DatabasesIf the tenant database controls encryption configuration, the tenant database administrator can hand over this control to the system administrator by executing the following ALTER SYSTEM statement:ALTER SYSTEM ENCRYPTION CONFIGURATION CONTROLLED BY SYSTEM DATABASEIf the system database controls encryption configuration, the system database administrator can hand it over to the tenant database administrator by executing the following ALTER DATABASE statement:ALTER DATABASE <database_name> ENCRYPTION CONFIGURATION CONTROLLED BY LOCAL DATABASEFor simplicity, the system database administrator can hand over control to all tenants at once by executing the following statement.ALTER SYSTEM ENCRYPTION CONFIGURATION CONTROLLED BY LOCAL DATABASES 6. Secure Store for Encryption Root KeysSAP HANA uses the configured secure store to protect the following:The root keys used for:Data volume encryptionRedo log encryptionData and log backup encryptionInternal application encryption service of the databaseThe password of the root key backupEncryption configuration informationThese root keys protect all encryption keys (and data) used in the SAP HANA database from unauthorize access.The system database and all tenant databases have their own encryption root keys. Prerequisites:1) Database backup (Systemdb & Tenantdb) must be taken before encryption.Systemdb Backup: Tenantdb Backup:2) Have the credentials of the operating system user (<sid>adm) that was created when the system was installed.3) ENCRYPTION ROOT KEY ADMIN privilege should be there for the user.4) Take backup of existing SSFS keys.5) Whenever HANA DB is installed or a tenant DB is created, unique keys will be created, and encryption will be disabled.From HANA studio, To check Initial Keys use query: select * from ENCRYPTION_ROOT_KEYS;Systemdb:Tenantdb: To check encryption status, use query: select * from SYS.M_ENCRYPTION_OVERVIEW;Systemdb:Tenantdb:In the above screenshot we can see the encryption status is already active.From HANA 2.0 SPS07 encryption is enabled by default during the installation. Refer below screenshot.Refer: https://help.sap.com/docs/SAP_HANA_PLATFORM/42668af650f84f9384a3337bcd373692/e0b2abe8514048ebaf1f8e83947e5c30.htmlReason behind doing the encryption on already encrypted database is:If your HANA DB is pre-installed or delivered by any partner, then SAP recommends changing the master keys that are created during installation.6) Shut down the SAP HANA system.Encryption configuration:1) Change the SSFS Master Keys change the SSFS master keys using the command line tool rsecssfx, which is installed with SAP HANA.Procedure:1) Log on to the SAP HANA system host as the operating system user, <sid>adm.2) Take a backup of existing SSFS keys and PKI SSFS keys.SSFS Keys backup: /usr/sap/<SID>/SYS/global/hdb/security/ssfsPKI SSFS keys backup: /usr/sap/<SID>/SYS/global/security/rsecssfs/3) Re-encrypt the instance SSFS keys with a new key using below commands:setenv RSEC_SSFS_DATAPATH /usr/sap/<SID>/SYS/global/hdb/security/ssfs
setenv RSEC_SSFS_KEYPATH /usr/sap/<SID>/SYS/global/hdb/security/ssfs rsecssfx changekey `rsecssfx generatekey -getPlainValueToConsole`Go to path /usr/sap/<SID>/SYS/global/hdb/custom/config and configure the specified key file location in the global.ini configuration file.[cryptography]
ssfs_key_file_path = /usr/sap/<SID>/SYS/global/hdb/security/ssfs 4) Re-encrypt the system PKI SSFS with a new key using the following command:setenv RSEC_SSFS_DATAPATH /usr/sap/<SID>/SYS/global/security/rsecssfs/data
setenv RSEC_SSFS_KEYPATH /usr/sap/<SID>/SYS/global/security/rsecssfs/key
echo $RSEC_SSFS_DATAPATH
echo $RSEC_SSFS_KEYPATH rsecssfx changekey `rsecssfx generatekey -getPlainValueToConsole`5) Restart the SAP HANA Database. Encryption on Systemdb2) Set the Root Key Backup PasswordThe root key backup password is required to securely back up the root keys of the database and subsequently to restore the backed-up root keys during data recovery.Procedure:1) Set the root key backup password with the following SQL statement.ALTER SYSTEM SET ENCRYPTION ROOT KEYS BACKUP PASSWORD <passphrase>The length and layout of the password must be in line with the database’s password policy.2) To verify that the password you have is the same as the one that the system uses when creating new root key backups, use the statement below:ALTER SYSTEM VALIDATE ENCRYPTION ROOT KEYS BACKUP PASSWORD <passphrase>Note:If the root key backup already has a password, it will be overwritten.In a system-replication configuration, set the root key backup password in the primary system only. The password will be propagated to all secondary systems. The secondary systems must be running and replicating.The password is set and stored in the secure store together with the SAP HANA encryption root keys and encryption-related configuration. You must provide this password to import root keys from the backup into the database before starting a database recovery. All root key backups taken after the password is set use this password to protect the backup files.The password should also be stored in a separate safe location. You will need to enter it to restore the secure store content before a database recovery. Losing this password may result in the database being unrecoverable. 3) Generate new root keys1) Use below command to check the unique keys which are created during installation.select * from ENCRYPTION_ROOT_KEYS;Systemdb:2) Generate new root keys for all encryption services using the following SQL statements: Encryption serviceSQL StatementData volume encryptionALTER SYSTEM PERSISTENCE ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATERedo log encryptionALTER SYSTEM LOG ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATEData and log backup encryptionALTER SYSTEM BACKUP ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATEInternal application encryptionALTER SYSTEM APPLICATION ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATEData volume encryption:Same way we must execute above mentioned commands for redo log, data backup, log backup and internal encryption. 3) To verify the creation of new root keys, use below command. New keys which are generated will be in PREACTIVE status.select * from ENCRYPTION_ROOT_KEYS; 4) Back up all root keys.After you have generated new root keys, you must back up all root keys.i) In the system database, execute the below SQL statement.BACKUP ENCRYPTION ROOT KEYS USING FILE (‘backup001’)ii)The backup file will gets saved at cd ${DIR_INSTANCE}/backup/sec path.Save the root key backup file to a secure location. If this file is lost, it may not be possible to recover the database. iii) To validate the backup file on the SAP HANA server as operating system user <sid>adm use the following in the hdbnsutil tool.Go to /usr/sap/<SID>/HDB<nn>/exe and then run below command.
./hdbnsutil -validateRootKeysBackup /usr/sap/<SID>/HDB<nn>/backup/sec/SYSTEMDB/backup001_rootkeys4) Now we can see all the keys backup is TRUE use below command.select * from ENCRYPTION_ROOT_KEYS; 5) Activate new root keys.Activate new root keys so that they can be used to encrypt new data.1) Activate the new root keys by executing the following SQL statements:Encryption ServiceStatementData volume encryptionALTER SYSTEM PERSISTENCE ENCRYPTION ACTIVATE NEW ROOT KEYRedo log encryptionALTER SYSTEM LOG ENCRYPTION ACTIVATE NEW ROOT KEYData and log backup encryptionALTER SYSTEM BACKUP ENCRYPTION ACTIVATE NEW ROOT KEYInternal application encryptionALTER SYSTEM APPLICATION ENCRYPTION ACTIVATE NEW ROOT KEY a) Data volume encryption –> ALTER SYSTEM PERSISTENCE ENCRYPTION ACTIVATE NEW ROOT KEYSame way we must activate root keys for redo log, data backup, log backup and internal encryption.2) We can validate whether keys are activated, and a backup of keys is done use below command.select * from ENCRYPTION_ROOT_KEYS; 6) Enable encryptionNote:1) To enable encryption for a tenant database, you know whether encryption configuration is controlled by the tenant database or the system database:If the tenant database controls encryption configuration, encryption can only be enabled or disabled directly in the tenant database and not from the system database.If the system database controls encryption configuration, encryption can only be enabled or disabled using SQL from the system database. Procedure:1) Enable the required encryption service using the SAP HANA cockpit (tenant database control only) or the following SQL statements:If the tenant database has control used below commands:Data volume encryptionALTER SYSTEM PERSISTENCE ENCRYPTION ONRedo log encryptionALTER SYSTEM LOG ENCRYPTION ONBackup encryptionALTER SYSTEM BACKUP ENCRYPTION ONIf the system database has control use below commands:Data volume encryptionALTER DATABASE <database_name> PERSISTENCE ENCRYPTION ONRedo log encryptionALTER DATABASE <database_name> LOG ENCRYPTION ONBackup encryptionALTER DATABASE <database_name> BACKUP ENCRYPTION ON Data volume encryption:Backup Encryption:Redo Log encryption:2) Now validate the encryption status of database.select * from ENCRYPTION_ROOT_KEYS;Note:i) Follow the steps from 2 to 6 to enable encryption on tenant database.ii) In a system-replication configuration, enable (or disable) encryption in the primary system only. The setting will be propagated to all secondary systems. The secondary systems must be running and replicating. Summary:HANA database encryption is a critical security feature that protects sensitive data at rest and ensures compliance with regulatory standards. This blog explains the encryption options available in SAP HANA, including data volume encryption, redo log encryption, and secure key management. Implementing these measures strengthens data confidentiality and reduces risk across enterprise systems. Read More Technology Blog Posts by Members articles
#SAP
#SAPTechnologyblog
