SAP HANA - Enabling Data Volume Encryption - Jitendra Singh - Pulse

2/5/2017 SAPHANA:EnablingDataVolumeEncryption|JitendraSingh|Pulse|LinkedIn
SAP HANA: Enabling Data Volume

Encryption
Publicado el 1 de octubre de 2016
Jitendra Singh Seguir

20 6 0
SAP HANA & Netweaver Consultant
Mymanagercameupwithaninterestingtopicaboutdatabaseencryption.Tobehonest,
it'snotsomethingIwasworriedaboutuntilthismorningbutgiventhefactthat
everyoneandeverythingnowmovingtothePublicCloudSecurityisplayinganever
moreimportantroleforEnterprisebusinessapplications.
WithSAPHANAdatabase,thereareoptionstorunthedatabaseonpremiseand
cloud.ThereisnodoubtHANAdatabasecanrunthemostcriticalapplicationprocesses
forclientsSAPBusinessUnitmakingitvulnerableforthehackers/competitorsto
exploit.
AlthoughSAPdocumentationisveryclearonthestepsrequiredtoenabletheHANA
DataVolumeEncryption,thisistosharemyunderstanding/experiencewiththeprocess.
1. How does it work?
SAPHANAmakesuseofCryptographicserviceprovider[(default)CommonCryptoLib
orOpenSSL]forallEncryptionServices.Oncedatavolumeencryptionfeatureis
enabledonHANAsystem,allpagesondiskareencryptedusingtheAES256CBC
algorithm.Pagesaretransparentlydecryptedbyloadprocessinmemoryandwhen
changestodataarepersistedondisk,writeoperationautomaticallyencryptsthe
relevantpagesondisk.
https://www.linkedin.com/pulse/saphanaenablingdatavolumeencryptionjitendrasingh1 1/11
Pagesareencryptedanddecryptedusing256bitpageencryptionkeys.Thedatavolume
encryptionrootkeyisstoredusingthesecurestorageinthefilesystem(SSFS),root
keysareencryptedusingtheSSFSmasterkey.SSFSisimplementedbySAPHANAto
protecttherootencryptionkeys,usedtoprotectallencryptionkeys.
Cryptographicservice
provider[(default)CommonCryptoLibor
OpenSSL]isusedbySAPHANAforall
EncryptionServices.
2. Is my HANA database data volume already encrypted ?
SAPHANAInstaller(HDBLCM)doesnotenabletheDataVolumeencryptionaspart
oftheinstallationprocess,itishighlyrecommendedtoenableDataVolumeencryption
immediatelyaftersystemInstallation.
Bydefault,HANADatavolumeencryptionis
notenabled
3. What are the options to check the status of data volume

encryption?
StandardSAPAdmintoolsareavailableasstandardtoupdatedatavolumeencryption
statusforHANAsystem
3.a. SAP HANA Studio - Security editor
DataVolumeEncryptionstatuscanbereviewedfromSecurityconsoleofSAPHANA
StudiounderDataVolumeEncryptiontab
Select"DataVolumeEncryption"tabtocheckstatusofEncryption
3.b. SAP HANAcockpit
SAPHANACockpitisaccessedthroughtheURL,
https://<FQDNHostName>:<HTTPSPort>/sap/hana/admin/cockpit
SAPHANASecurityOverviewshowsthestatusofDataVolumeEncryption
3.c. SAP HANA SQL Console
HANAcomeswithsystemviewstomonitorencryptionstatus
(M_PERSISTENCE_ENCRYPTION_STATUS)
OpenHANASQLConsoleandexecutecommand
Select*FROMM_PERSISTENCE_ENCRYPTION_STATUS
4. How to activate data volume encryption?

4. How to activate data volume encryption?
EncryptionofDataVolumecanbeenabledduringnewsysteminstallationandonan
existing/runningsystem
4.1. New Installation:
IfyouareinstallingnewSAPHANADatabase,youcanactivatedatavolume
encryptionimmediatelyaftersysteminstallation
4.2. Active/Running System:
TheproblemariseswhenSAPHANAsystemisactivelyusedbyendusersandthe
applicationteamwithminimumroomfordowntime.Dependinguponyoursystem
statusandclientsviewondowntime,therearetwowaystoplanDATAVolume
encryptionwithrunningHANAsystem
4.2.1OPTION#1:ReInstallSAPHANA
ItistherecommendedmethodtoenabledatavolumeencryptionforrunningSAP
system
Pros:SAPRecommendedway
Cons:Longersystemdowntime
Steps:
4.2.1.a.RunHANADBbackup
4.2.1.b.UninstallSystem[overwritetheformerdataareawithrandomvalueswhere
possibletoavoidsecurityrisk]
4.2.1.c.ReInstallsystem.[configuresystemreplicationbeforeenablingdatavolume
encryption,ifapplicabletoyourlandscape]
4.2.1.d.Enabledatavolumeencryption
4.2.1.e.RecoverDBusinglatestbackup[fromstep4.2.1.a].
4.2.2OPTION#2:EnableDataVolumeEncryptiononrunningSAPHANA
Itisnotalwayspossibletoconvinceclientstoallowlongerdowntimeeventhough
securityishighontheiragenda,itisstillpossible(theclientmightrefuselonger
downtimetoavoidrevenueloss).Insuchcase,DataVolumeEncryptioncanstillbe
activatedontherunningsystem.
Pros:NoServiceDowntime
Cons:Onlypagesinusewillbeencryptedimmediately,restofdatawillbefully
protectedafterdelay.
Steps:pleasereferpoint3[mentionedbelow]
4.3. Enable data volume encryption
BelowstepsneedtocarryoutimmediatelyafterNewInstallationortoenabledata
volumeencryptionoranytimeforrunningsystemwheredowntimeisnotpossible
4.3.1SAPCryptographicLibrary(CommonCryptoLib)isusedbySystem
EnsureSAPCryptographicLibrary(CommonCryptoLib)isconfiguredandusedby
System,canbecheckedfromSAPHANACockpit.
4.3.2Backupmasterkey
SAPProcessmightcreatebackupduringtheactivationofencryptionbutit'salways
bettertobackupkeythansorrypostactivation
Checkparameterssfs_key_file_path=<pathtokeyfile>[defaultpathofthekeyfileis
$DIR_GLOBAL/hdb/security/ssfs]
WherepossiblesnapshottheVM,asthebackup.
4.3.3DataVolumeEncryptioncanbeactivatedusingdifferentHANAtools
4.3.3.aTheSecurityeditoroftheSAPHANAstudio
DataVolumeEncryptioncanbeactivatedfromSecurityconsoleofSAPHANAStudio
underDataVolumeEncryptiontab
SelectEncryptdatavolumes
HitDeploytostarttheEncryptionProcess
Clickrefreshtocheckthestatus
Or
4.3.3.bTheSAPHANACockpit
AccessSAPHANACockpitthroughtheURL,
https://<FQDNHostName>:<HTTPSPort>/sap/hana/admin/cockpit
GotoSAPHANASecurityOverview,
SelectDataStorageSecurity
HittheEncryptDataVolumestoinitiatetheEncryptionprocess,itwillstartencryption
withpagesinuse.
SelectOKtoconfirm
Tocheckthestatusrefreshthepage
Or
4.3.3.cTheSQLSAPHANASQLConsole
UsingsystemmanagementstatementALTERSYSTEMPERSISTENCE
ENCRYPTION.
SpecifiesONforencryptionshouldbeenabled.Whenyouswitchonencryption,a
randomencryptionkeyispreparedandanasynchronousbackgroundtaskisstartedthat
encryptsalldiskdatawiththiskey.
ALTERSYSTEMPERSISTENCEENCRYPTIONON
ClickDeploy
Tocheckthestatus,execute
Select*FROMM_PERSISTENCE_ENCRYPTION_STATUS
Thebestpracticeistoencryptthedataasmuchaspossibletoreducesecurityrisk,
Reviewtracefilestocaptureanyerror,locationoftracefile
/usr/sap/<SID>/HDB<nn>/<hostname>/trace
5. How long Encryption process take to protect the whole

database ?
Itdependsonthesizeofthedatabaseandactiveoperationsonthesystem,forme,it
took~1hourtoencryptwholeHANADatabaseofSize64GBwith8Core.
6. Can the encrypted data volume be decrypted ?

6. Can the encrypted data volume be decrypted ?
Yes,wecandecryptthedatavolumeusingHANAtoolswithoutsystemdowntime.
Hit"DecryptDataVolumes"
7. What is not encrypted?
OnlyDataVolumesareencryptedwiththisfeature.
DataVolumeEncryptionfeatureonlyencryptsHANADataVolumeandnotdatabase
backup,RedoLog&DatabaseTracefiles
7.1.Databasebackupfiles
Databasebackupfilesarenotencryptedbutdatainstoragesnapshotsisencrypted.
SAPCertifiedThirdpartysolutionsthatintegratewiththeBackintforSAPHANAcan
beimplementedtoachieveencryptionofdatabasebackupfiles[e.g.SEPsesam].
7.2.DatabaseRedologfiles
EncryptionoftheLogVolumeisnotcoveredbythefeatureandencryptionatthefile
systemlevelisrecommendedtosecurelogfilesshouldthatberequired.[e.g.yasttool
ofSUSE].
7.3.Databasetraces
Tracefilesunder/usr/sap/<SID>/HDB<nn>/<hostname>/trace,arenotencryptedwith
DataVolumeencryption.Itistoonlyincreasetracelevelduringanalysisandtracelevel
mustbeatdefaultlevelatallothertimestoavoidexposeofcriticalinformationviathe
tracefilesatOS.WithSUSE,yasttoolcanbeusedtoencryptthefilesystem&filesat
OSlevel.
Denunciar esto
Jitendra Singh
SAP HANA & Netweaver Consultant Seguir
1 artculo
6 comentarios Ms reciente
Deja tus comentarios aqu
Vishal Bagherwal 4 mes.

Senior So ware Administrator at Grainger
Nice article, Great Presentation. Can you please help me with below queries:
1) how to check what data or tables are encrypted incase we are enabling encryption on operational
database (as there would be delay in encryption)?
2) You mentioned only pages in use would be encrypted, does that mean pages in memory would be
encrypted on data volume? and other pages which are n Ver ms
Recomendar Responder 2

Jitendra Singh 4 mes.
Hello Vishal,
Thanks for your comment.
The encryption only exists at the Operating System in persistence layer [on disk] but not when
data is available in memory Ver ms
Recomendar Responder 1
Vishal Bagherwal 4 mes.

Senior So ware Administrator at Grainger
Thanks Jitendra, appreciate your reposnse
Recomendar Responder
Jitendra Singh 5 mes.

Thanks Alok Maurya
Recomendar Responder
Hay 4 comentarios ms.Mostrar ms
Historias principales de la seleccin de los editores
What if Hollywood Replaced Writers with There's a toy taking over the The Future of Work is Already Here
AI? playgroundis your workplace next? Jacqui Canney en LinkedIn
Robert Light en LinkedIn Dave Crenshaw en LinkedIn
Ests buscando ms titulares recientes en LinkedIn?
Descubre ms historias
Centrodeayuda Acercade Carrerasprofesionales Publicidad TalentSolutions SalesSolutions SmallBusiness Mvil Idioma Abnateaunacuentasuperior
LinkedInCorporation2017 Condicionesdeuso Polticadeprivacidad Opcionesdeanuncio Directricescomunitarias Polticadecookies Polticadecopyright Enviarcomentarios

SAP HANA - Enabling Data Volume Encryption - Jitendra Singh - Pulse

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SAP HANA - Enabling Data Volume Encryption - Jitendra Singh - Pulse

Hochgeladen von

Copyright:

Verfügbare Formate

2/5/2017 SAPHANA:EnablingDataVolumeEncryption|JitendraSingh|Pulse|LinkedIn

SAP HANA: Enabling Data Volume

Jitendra Singh Seguir

1. How does it work?

2. Is my HANA database data volume already encrypted ?

3. What are the options to check the status of data volume

3.a. SAP HANA Studio - Security editor

3.b. SAP HANAcockpit

3.c. SAP HANA SQL Console

4. How to activate data volume encryption?

4. How to activate data volume encryption?

4.1. New Installation:

4.2. Active/Running System:

4.3. Enable data volume encryption

5. How long Encryption process take to protect the whole

6. Can the encrypted data volume be decrypted ?

6. Can the encrypted data volume be decrypted ?

7. What is not encrypted?

Deja tus comentarios aqu

Vishal Bagherwal 4 mes.

Thanks for your comment.

Vishal Bagherwal 4 mes.

Jitendra Singh 5 mes.

Hay 4 comentarios ms.Mostrar ms

Historias principales de la seleccin de los editores

Ests buscando ms titulares recientes en LinkedIn?

Das könnte Ihnen auch gefallen