SAP HANA

Learn SAP HANA: Data Encryption

Encrypting communications with SAP HANA is very important. However, encryption can also be used to secure the data stored on the SAP HANA server’s persistent layers.

 

Although SAP HANA is an in-memory database, its data is not exclusively stored in memory. SAP HANA will periodically create savepoints to mirror the in-memory data to disk. The savepoint process saves the data to the /hana/data/<SID> volume hosted on each SAP HANA server node.

 

In addition to these data savepoints, each committed transaction is simultaneously written to the /hana/log/<SID> volumes and memory on each SAP HANA server node. In the event of a power failure, the SAP HANA system will recreate the in-memory data using a combination of the persistent data snapshots stored in the /data volume and the transaction redo logs stored in the /log volume of each SAP HANA server node. Because these storage areas contain a binary version of the data hosted in SAP HANA, it’s often important that we encrypt that data.

 

Users with access to the SAP HANA OS can potentially access unencrypted data hosted in the data or log volumes. Most organizations vigorously restrict access to the OS of on-premise implementations of SAP HANA, but organizations leveraging hosted or cloud-based SAP HANA implementations might have limited control over users with OS-level access or physical access to the storage drives.

 

When access to the OS can’t be properly validated, it’s highly recommended that data and log volume encryption be used. The same is true when individuals with physical access to the disk drives aren’t properly managed.

 

Now, let’s review how SAP HANA manages the root keys used for encryption.

 

Server-Side Data Encryption

SAP HANA has a built-in encryption service to help manage the encryption of data hosted in the data and log volumes. This service uses a secure store in the file system (SSFS) to protect the encryption root keys. Encryption root keys are the basis for all public or private keys used to encrypt data or communications within the SAP HANA system.

 

SAP HANA has two secure stores in the file system. The first SSFS is the SAP HANA instance SSFS, which protects the root keys used to encrypt information stored in the data and log volumes. The second SSFS is the system PKI SSFS, which protects root certificates used to secure internal communications.

 

The instance SSFS key is stored on the OS in the following location by default:

 

/usr/sap/<SID>/SYS/global/hdb/security/ssfs

 

Replace the <SID> variable in the example with the SID of your SAP HANA system. Within the folder location, you’ll find two files: SSFS_<SID>.DAT and SSFS_<SID>.KEY.

 

The system PKI SSFS key is stored on the OS in the following location by default:

 

/usr/sap/<SID>/SYS/global/security/rsecssfs/data

 

Replace the <SID> variable in the example with the SID of your SAP HANA system. Within the folder location, you’ll find two files: SSFS_<SID>.DAT and SSFS_<SID>.KEY.

 

Given the importance of these keys, they should be backed up and stored in a root key backup file. This backup file and its location must be accessible by the administrator during a recovery situation for a new SAP HANA host or a host with a new key generated after the backup file’s creation date.

 

When data or log volume encryption is enabled, the SSFS will need to be restored from backup prior to a database recovery. However, if you’re restoring a backup to the same database used to generate the backup files and the SSFS keys weren’t changed following the backup, SSFS recovery is not necessary.

 

Next, we’ll provide more details about the processes used to backup and restore SSFS keys. It’s very important that organizations maintain backups of the SSFS keys each time they’re changed and prior to enabling data or log volume encryption.

 

Changing New Root Keys within the SSFS

A unique root key is generated during the standard installation or upgrade of each SAP HANA instance. A standard installation is one in which a documented SAP HANA installation method is followed. However, because SAP HANA is often delivered as an appliance, it’s possible that the appliance vendor used a copy of the same encryption root keys within each of its appliance builds.

 

For example, the vendor might deploy a copied image of the SAP HANA appliance’s file system. Using an image provides a quick and consistent deployment of the SAP HANA software, but it results in each default instance using the same root keys and SSFS. Organizations also must consider the security of the SSFS and its keys during installation. SAP HANA currently must be deployed by a certified vendor or certified individual. That individual could make a copy of the root keys and store them insecurely outside of the organization’s control.

 

As a result, there is no guarantee that a copy of the encryption root keys doesn’t exist outside the organization. These keys should therefore be changed after the vendor has completed the installation.

 

Therefore, it’s often necessary for an organization to generate new encryption root keys following the initial deployment of the SAP HANA system. Starting with SAP HANA 2.0, when new root keys are generated the SSFS should be backed up. To generate new keys, organizations can execute a series of SQL statements. To perform a backup of the SSFS, command-line access to the operating system is required. The process used to generate new root keys in SAP HANA 2.0 is as follows:

  • Generate new root keys using SQL commands.
  • Backup the new keys and store them in a secure file location.
  • Activate the new keys using SQL commands.

To properly perform these activities, grantees will need the <sid>adm operating system credentials to execute the command line utility hdbnsutil. The grantee will need the ENCRYPTION ROOT KEY ADMIN system privilege. We also need to establish a password for the root key backup file. To establish this password, execute the following SQL statement:

 

ALTER SYSTEM SET ENCRYPTION ROOT KEYS BACKUP PASSWORD "<Password>";

 

To generate new root keys for the SAP HANA data volume, execute the following SQL command:

 

ALTER SYSTEM PERSISTENCE ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE;

 

To generate new root keys for the SAP HANA log volume, execute the following SQL command:

 

ALTER SYSTEM LOG ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE;

 

To generate new root keys for SAP HANA’s internal application encryption, execute the following SQL command:

 

ALTER SYSTEM APPLICATION ENCRYPTION CREATE NEW ROOT KEY WITHOUT ACTIVATE;

 

With all three of these SQL statements, the WITHOUT ACTIVATE option was specified. This allows new keys to be generated without making them active within the system. It’s important that you back up the root keys prior to their activation. To do so, we can use the hdbnsutil command line utility.

 

To use this utility, log on to the SAP HANA operating system with the <sid>adm credentials. Alternately, we can execute a SQL statement that returns a CLOB field containing an encrypted text message. We can copy the text message to a file and save it with the .rkb extension.

 

To use the hdbnsutil command-line utility, log on to the SAP HANA system using your Secure Shell (SSH) service of choice. Log on to the shell using the <sid>adm credentials. This utility is stored in /usr/sap/<sid>/HDB<instance_number>/exe. Execute the following command to back up the root keys:

 

./hdbnsutil -backupRootKeys <file path and name>.rkb --dbid=<dbid> --type='ALL'

 

If SAP HANA is a single-container system, you can omit the –dbid=<dbid> portion of the command. The variable <dbid> should be replaced with the tenant database ID.

 

If you’re unable to gain access to the operating system shell, you can also execute a SQL statement to return a CLOB field containing the contents of the RKB file. Copy the contents of the CLOB field and save them to a file with an .rkb extension. To return the CLOB field, execute the following SQL:

 

SELECT ENCRYPTION_ROOT_KEYS_EXTRACT_KEYS

('PERSISTENCE, APPLICATION, LOG') FROM DUMMY

 

Before activating the new root keys, it’s important to validate that you have the correct password required to restore the root keys. To do so, execute the following command from the SAP HANA OS shell:

 

./hdbnsutil -validateRootKeysBackup <path to filename> --password="<password>"

 

When a backup is created with data and log volume encryption enabled, that backup can only be restored to a system with the same SSFS and root keys. In the event that we need to restore a backup to a system with different root keys, we must first restore the root keys from the RKB file. To recover root keys, execute the following command from the operating system shell; you must be authenticated as the <sid>adm user to restore the root keys:

 

./hdbnsutil -recoverRootKeys <path to filename>.rkb --dbid=<dbid>

--password="<password>" --type=ALL

 

If SAP HANA is a single-container system, you can omit the –dbid=<dbid> portion of the command. The variable <dbid> should be replaced with the tenant database ID.

 

Once the backup file is generated and validated, we can activate the new keys within the system. To activate the keys for all three areas, execute the following three statements:

 

ALTER SYSTEM PERSISTENCE ENCRYPTION ACTIVATE NEW ROOT KEY;

ALTER SYSTEM LOG ENCRYPTION ACTIVATE NEW ROOT KEY;

ALTER SYSTEM APPLICATION ENCRYPTION ACTIVATE NEW ROOT KEY;

 

To view the current and historical status of root keys generated within the system, query the ENCRYPTION_ROOT_KEYS system view. To query this view, execute the following SQL statement from the SQL console:

 

SELECT * FROM SYS.ENCRYPTION_ROOT_KEYS;

 

Generating new root keys within the SSFS is an important step that all organizations should consider after receiving a new SAP HANA appliance. In the next sections, we’ll explore the requirements and commands necessary to enable data and log volume encryption.

 

Encrypting the Data Volume

There are two main ways to enable data volume encryption in SAP HANA: via a specialized SQL statement or via the security management options in SAP HANA Studio.

Using SQL

Note that you can’t enable data volume encryption if extended storage has already been enabled within the system; you’ll need to move extended storage tables back to in-memory and disable extended storage prior to executing the command successfully. Users will also need the ENCRYPTION ROOT KEY ADMIN system privilege to enable /data volume encryption. To enable data volume encryption, execute the following SQL command:

 

ALTER SYSTEM PERSISTENCE ENCRYPTION ON;

 

To monitor the status of data volume encryption, execute the following SQL statement:

 

SELECT * FROM SYS.M_ENCRYPTION_OVERVIEW

Using SAP HANA Studio

SAP HANA Studio also provides a way to enable data volume encryption. Log on to your system and expand the System node within the Systems tab. Expand the Security folder and double-click the Security icon. The security manager will appear on the right, as shown in the figure below.

 

Within the security manager, click the Data Volume Encryption tab. On that tab, select the checkbox titled Encrypt data volumes. Press (F8) to deploy the changes. The Status of each service within the list will change to Encrypted once the encryption process is complete.

 

Encrypting Data Volumes in SAP HANA

 

Encrypting the Log Volume

Encrypting the log volume is a feature that was first made available in SAP HANA 2.0 SPS 00. As of the time of writing, the log volume encryption can only be enabled using SQL commands. To enable log volume encryption, execute the following SQL command:

 

ALTER SYSTEM LOG ENCRYPTION ON;

 

To monitor the status of log volume encryption, execute the following SQL statement:

 

SELECT * FROM SYS.M_ENCRYPTION_OVERVIEW

 

Future Versions of SAP HANA

Although SAP hasn’t made an official announcement, we expect that SSFS root key management, data volume encryption, and log volume encryption will be manageable from the SAP HANA 2.0 Cockpit’s management application in future versions of SAP HANA. With that said, we also expect that such options will continue to be manageable using the SQL statements listed in this section.

 

Conclusion

You now have a better understanding of encrypting data with SAP HANA. Time to secure your valuable information; this will help you both from an SAP HANA security standpoint but also give you practical knowledge to use when taking the SAP HANA Application Associate Certification Exam. For more information about the SAP HANA 2.0 Cockpit, please review SAP Note 2380291, available at https://launchpad.support.sap.com/#/notes/0002380291

 

For more on how to secure your SAP solutions, read our overview on SAP security here.

 

Editor’s note: This post has been adapted from a section of the book SAP HANA Security Guide by Jonathan Haun.

Recommendation

SAP HANA 2.0 Security Guide
SAP HANA 2.0 Security Guide

Your complete guide to safeguarding your SAP HANA 2.0 platform awaits! Get step-by-step instructions for configuring and maintaining each security element, from the new SAP HANA cockpit to privileges and roles. Learn how to secure database objects and provision and maintain user accounts. Then, dive into managing authentications, certificates, audits, and traces.

Learn More
SAP PRESS
by SAP PRESS

SAP PRESS is the world's leading SAP publisher, with books on ABAP, SAP S/4HANA, SAP CX, intelligent technologies, SAP Cloud Platform, and more!

Comments