Vous êtes sur la page 1sur 11

2/5/2017 SAPHANA:EnablingDataVolumeEncryption|JitendraSingh|Pulse|LinkedIn

SAP HANA: Enabling Data Volume


Encryption
Publicado el 1 de octubre de 2016

Jitendra Singh Seguir


20 6 0
SAP HANA & Netweaver Consultant

Mymanagercameupwithaninterestingtopicaboutdatabaseencryption.Tobehonest,
it'snotsomethingIwasworriedaboutuntilthismorningbutgiventhefactthat
everyoneandeverythingnowmovingtothePublicCloudSecurityisplayinganever
moreimportantroleforEnterprisebusinessapplications.

WithSAPHANAdatabase,thereareoptionstorunthedatabaseonpremiseand
cloud.ThereisnodoubtHANAdatabasecanrunthemostcriticalapplicationprocesses
forclientsSAPBusinessUnitmakingitvulnerableforthehackers/competitorsto
exploit.

AlthoughSAPdocumentationisveryclearonthestepsrequiredtoenabletheHANA
DataVolumeEncryption,thisistosharemyunderstanding/experiencewiththeprocess.

1. How does it work?

SAPHANAmakesuseofCryptographicserviceprovider[(default)CommonCryptoLib
orOpenSSL]forallEncryptionServices.Oncedatavolumeencryptionfeatureis
enabledonHANAsystem,allpagesondiskareencryptedusingtheAES256CBC
algorithm.Pagesaretransparentlydecryptedbyloadprocessinmemoryandwhen
changestodataarepersistedondisk,writeoperationautomaticallyencryptsthe
relevantpagesondisk.

https://www.linkedin.com/pulse/saphanaenablingdatavolumeencryptionjitendrasingh1 1/11
2/5/2017 SAPHANA:EnablingDataVolumeEncryption|JitendraSingh|Pulse|LinkedIn

Pagesareencryptedanddecryptedusing256bitpageencryptionkeys.Thedatavolume
encryptionrootkeyisstoredusingthesecurestorageinthefilesystem(SSFS),root
keysareencryptedusingtheSSFSmasterkey.SSFSisimplementedbySAPHANAto
protecttherootencryptionkeys,usedtoprotectallencryptionkeys.

Cryptographicservice
provider[(default)CommonCryptoLibor
OpenSSL]isusedbySAPHANAforall
EncryptionServices.

2. Is my HANA database data volume already encrypted ?

SAPHANAInstaller(HDBLCM)doesnotenabletheDataVolumeencryptionaspart
oftheinstallationprocess,itishighlyrecommendedtoenableDataVolumeencryption
immediatelyaftersystemInstallation.

Bydefault,HANADatavolumeencryptionis
notenabled

3. What are the options to check the status of data volume


encryption?

StandardSAPAdmintoolsareavailableasstandardtoupdatedatavolumeencryption
statusforHANAsystem

3.a. SAP HANA Studio - Security editor

DataVolumeEncryptionstatuscanbereviewedfromSecurityconsoleofSAPHANA
StudiounderDataVolumeEncryptiontab

Select"DataVolumeEncryption"tabtocheckstatusofEncryption

https://www.linkedin.com/pulse/saphanaenablingdatavolumeencryptionjitendrasingh1 2/11
2/5/2017 SAPHANA:EnablingDataVolumeEncryption|JitendraSingh|Pulse|LinkedIn

3.b. SAP HANAcockpit

SAPHANACockpitisaccessedthroughtheURL,

https://<FQDNHostName>:<HTTPSPort>/sap/hana/admin/cockpit

SAPHANASecurityOverviewshowsthestatusofDataVolumeEncryption

3.c. SAP HANA SQL Console

HANAcomeswithsystemviewstomonitorencryptionstatus
(M_PERSISTENCE_ENCRYPTION_STATUS)

OpenHANASQLConsoleandexecutecommand

Select*FROMM_PERSISTENCE_ENCRYPTION_STATUS

4. How to activate data volume encryption?


https://www.linkedin.com/pulse/saphanaenablingdatavolumeencryptionjitendrasingh1 3/11
2/5/2017 SAPHANA:EnablingDataVolumeEncryption|JitendraSingh|Pulse|LinkedIn

4. How to activate data volume encryption?

EncryptionofDataVolumecanbeenabledduringnewsysteminstallationandonan
existing/runningsystem

4.1. New Installation:

IfyouareinstallingnewSAPHANADatabase,youcanactivatedatavolume
encryptionimmediatelyaftersysteminstallation

4.2. Active/Running System:

TheproblemariseswhenSAPHANAsystemisactivelyusedbyendusersandthe
applicationteamwithminimumroomfordowntime.Dependinguponyoursystem
statusandclientsviewondowntime,therearetwowaystoplanDATAVolume
encryptionwithrunningHANAsystem

4.2.1OPTION#1:ReInstallSAPHANA

ItistherecommendedmethodtoenabledatavolumeencryptionforrunningSAP
system

Pros:SAPRecommendedway

Cons:Longersystemdowntime

Steps:

4.2.1.a.RunHANADBbackup

4.2.1.b.UninstallSystem[overwritetheformerdataareawithrandomvalueswhere
possibletoavoidsecurityrisk]

4.2.1.c.ReInstallsystem.[configuresystemreplicationbeforeenablingdatavolume
encryption,ifapplicabletoyourlandscape]

4.2.1.d.Enabledatavolumeencryption

4.2.1.e.RecoverDBusinglatestbackup[fromstep4.2.1.a].

4.2.2OPTION#2:EnableDataVolumeEncryptiononrunningSAPHANA

Itisnotalwayspossibletoconvinceclientstoallowlongerdowntimeeventhough
securityishighontheiragenda,itisstillpossible(theclientmightrefuselonger
downtimetoavoidrevenueloss).Insuchcase,DataVolumeEncryptioncanstillbe
activatedontherunningsystem.

https://www.linkedin.com/pulse/saphanaenablingdatavolumeencryptionjitendrasingh1 4/11
2/5/2017 SAPHANA:EnablingDataVolumeEncryption|JitendraSingh|Pulse|LinkedIn

Pros:NoServiceDowntime

Cons:Onlypagesinusewillbeencryptedimmediately,restofdatawillbefully
protectedafterdelay.

Steps:pleasereferpoint3[mentionedbelow]

4.3. Enable data volume encryption

BelowstepsneedtocarryoutimmediatelyafterNewInstallationortoenabledata
volumeencryptionoranytimeforrunningsystemwheredowntimeisnotpossible

4.3.1SAPCryptographicLibrary(CommonCryptoLib)isusedbySystem

EnsureSAPCryptographicLibrary(CommonCryptoLib)isconfiguredandusedby
System,canbecheckedfromSAPHANACockpit.

4.3.2Backupmasterkey

SAPProcessmightcreatebackupduringtheactivationofencryptionbutit'salways
bettertobackupkeythansorrypostactivation

Checkparameterssfs_key_file_path=<pathtokeyfile>[defaultpathofthekeyfileis
$DIR_GLOBAL/hdb/security/ssfs]

WherepossiblesnapshottheVM,asthebackup.

4.3.3DataVolumeEncryptioncanbeactivatedusingdifferentHANAtools

4.3.3.aTheSecurityeditoroftheSAPHANAstudio

DataVolumeEncryptioncanbeactivatedfromSecurityconsoleofSAPHANAStudio
underDataVolumeEncryptiontab

https://www.linkedin.com/pulse/saphanaenablingdatavolumeencryptionjitendrasingh1 5/11
2/5/2017 SAPHANA:EnablingDataVolumeEncryption|JitendraSingh|Pulse|LinkedIn

SelectEncryptdatavolumes

HitDeploytostarttheEncryptionProcess

Clickrefreshtocheckthestatus

Or

4.3.3.bTheSAPHANACockpit

AccessSAPHANACockpitthroughtheURL,

https://<FQDNHostName>:<HTTPSPort>/sap/hana/admin/cockpit

GotoSAPHANASecurityOverview,

SelectDataStorageSecurity

https://www.linkedin.com/pulse/saphanaenablingdatavolumeencryptionjitendrasingh1 6/11
2/5/2017 SAPHANA:EnablingDataVolumeEncryption|JitendraSingh|Pulse|LinkedIn

HittheEncryptDataVolumestoinitiatetheEncryptionprocess,itwillstartencryption
withpagesinuse.

SelectOKtoconfirm

Tocheckthestatusrefreshthepage

Or

4.3.3.cTheSQLSAPHANASQLConsole

UsingsystemmanagementstatementALTERSYSTEMPERSISTENCE
ENCRYPTION.
https://www.linkedin.com/pulse/saphanaenablingdatavolumeencryptionjitendrasingh1 7/11
2/5/2017 SAPHANA:EnablingDataVolumeEncryption|JitendraSingh|Pulse|LinkedIn

SpecifiesONforencryptionshouldbeenabled.Whenyouswitchonencryption,a
randomencryptionkeyispreparedandanasynchronousbackgroundtaskisstartedthat
encryptsalldiskdatawiththiskey.

ALTERSYSTEMPERSISTENCEENCRYPTIONON

ClickDeploy

Tocheckthestatus,execute

Select*FROMM_PERSISTENCE_ENCRYPTION_STATUS

Thebestpracticeistoencryptthedataasmuchaspossibletoreducesecurityrisk,

Reviewtracefilestocaptureanyerror,locationoftracefile
/usr/sap/<SID>/HDB<nn>/<hostname>/trace

5. How long Encryption process take to protect the whole


database ?

Itdependsonthesizeofthedatabaseandactiveoperationsonthesystem,forme,it
took~1hourtoencryptwholeHANADatabaseofSize64GBwith8Core.

6. Can the encrypted data volume be decrypted ?


https://www.linkedin.com/pulse/saphanaenablingdatavolumeencryptionjitendrasingh1 8/11
2/5/2017 SAPHANA:EnablingDataVolumeEncryption|JitendraSingh|Pulse|LinkedIn

6. Can the encrypted data volume be decrypted ?

Yes,wecandecryptthedatavolumeusingHANAtoolswithoutsystemdowntime.

Hit"DecryptDataVolumes"

7. What is not encrypted?

OnlyDataVolumesareencryptedwiththisfeature.

DataVolumeEncryptionfeatureonlyencryptsHANADataVolumeandnotdatabase
backup,RedoLog&DatabaseTracefiles

7.1.Databasebackupfiles

Databasebackupfilesarenotencryptedbutdatainstoragesnapshotsisencrypted.

SAPCertifiedThirdpartysolutionsthatintegratewiththeBackintforSAPHANAcan
beimplementedtoachieveencryptionofdatabasebackupfiles[e.g.SEPsesam].

7.2.DatabaseRedologfiles

EncryptionoftheLogVolumeisnotcoveredbythefeatureandencryptionatthefile
systemlevelisrecommendedtosecurelogfilesshouldthatberequired.[e.g.yasttool
ofSUSE].

https://www.linkedin.com/pulse/saphanaenablingdatavolumeencryptionjitendrasingh1 9/11
2/5/2017 SAPHANA:EnablingDataVolumeEncryption|JitendraSingh|Pulse|LinkedIn

7.3.Databasetraces

Tracefilesunder/usr/sap/<SID>/HDB<nn>/<hostname>/trace,arenotencryptedwith
DataVolumeencryption.Itistoonlyincreasetracelevelduringanalysisandtracelevel
mustbeatdefaultlevelatallothertimestoavoidexposeofcriticalinformationviathe
tracefilesatOS.WithSUSE,yasttoolcanbeusedtoencryptthefilesystem&filesat
OSlevel.

Denunciar esto

Jitendra Singh
SAP HANA & Netweaver Consultant Seguir
1 artculo

6 comentarios Ms reciente

Deja tus comentarios aqu

Vishal Bagherwal 4 mes.


Senior So ware Administrator at Grainger
Nice article, Great Presentation. Can you please help me with below queries:
1) how to check what data or tables are encrypted incase we are enabling encryption on operational
database (as there would be delay in encryption)?
2) You mentioned only pages in use would be encrypted, does that mean pages in memory would be
encrypted on data volume? and other pages which are n Ver ms
Recomendar Responder 2


Jitendra Singh 4 mes.
SAP HANA & Netweaver Consultant
Hello Vishal,

Thanks for your comment.

The encryption only exists at the Operating System in persistence layer [on disk] but not when
data is available in memory Ver ms
Recomendar Responder 1

Vishal Bagherwal 4 mes.


Senior So ware Administrator at Grainger
Thanks Jitendra, appreciate your reposnse
Recomendar Responder

Jitendra Singh 5 mes.


SAP HANA & Netweaver Consultant
Thanks Alok Maurya
Recomendar Responder

https://www.linkedin.com/pulse/saphanaenablingdatavolumeencryptionjitendrasingh1 10/11
2/5/2017 SAPHANA:EnablingDataVolumeEncryption|JitendraSingh|Pulse|LinkedIn

Hay 4 comentarios ms.Mostrar ms

Historias principales de la seleccin de los editores

What if Hollywood Replaced Writers with There's a toy taking over the The Future of Work is Already Here
AI? playgroundis your workplace next? Jacqui Canney en LinkedIn
Robert Light en LinkedIn Dave Crenshaw en LinkedIn

Ests buscando ms titulares recientes en LinkedIn?

Descubre ms historias

Centrodeayuda Acercade Carrerasprofesionales Publicidad TalentSolutions SalesSolutions SmallBusiness Mvil Idioma Abnateaunacuentasuperior
LinkedInCorporation2017 Condicionesdeuso Polticadeprivacidad Opcionesdeanuncio Directricescomunitarias Polticadecookies Polticadecopyright Enviarcomentarios

https://www.linkedin.com/pulse/saphanaenablingdatavolumeencryptionjitendrasingh1 11/11