avatar image
Former Member

Hana database encryption

As @lars.breddemann has described in an ealier post, the HANA DB encryption is not on the inMemory data but for the data partition and the log files.

So I was wondering if this "all or nothing" approach can be differentiated a bit more. E.g. I don't need to encrypt my whole db, but only a single table. How would I be able to do that? Can I move a single table into an individual data partition?

Also I understand that the only possible way to encrypt an individual field of a table is to encrypt it before storing it on HANA - or did that change and HANA comes now with some support for this (e.g the client provides a secret to encrypt the data but the en-/decyrption is done on the DB and not on the clientt

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Feb 01, 2017 at 11:28 AM

    Hi Bernd,

    Good question. We have three different objectives here:

    1. Encryption of archived storage (backups)
    2. Encryption of the files on the file system (persistence) - for the curios OS hacker
    3. Encryption of rows/columns in-memory (obfuscation/data masking) - for the curious DBA

    Currently, for SAP HANA 2.0 SPS 00, both data volume (persistence) and redo log encryption is available (but you still need to be careful with your trace files). The encryption takes places a lower level than the database, so you cannot encrypt on the file system just the bits and bytes for table A or column B. It is all or nothing.

    Archived storage is addressed (or not) by the backup tool or by the DBA / System Administrator.

    Obfuscation/data masking can be addressed by the application but is not a database feature. See, for example https://blogs.sap.com/2014/05/13/how-to-securely-mask-or-hide-column-data-using-sql-map-function-in-sap-hana-views/ or https://blogs.sap.com/2016/06/15/hana-eim-sdisdq-sps12-data-mask-node-how-to/ (using SDI).

    Targeted audit policies and a solid privilege and role management are obviously also very important to protect sensitive data.

    I understood that both backup encryption and data masking are high on the feature list for SAP HANA 2.0 SPS 01 but whether they make it to the release remains to be seen. RTC is planned for mid-April.



    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Thank you Denys that was very helpful - one more question. If the HANA is hosten on the HCP (or SCP how it is called now) is this process any different? Or is this all taken care of by the dev ops? (encryption on persistence level)

  • Feb 03, 2017 at 08:50 AM

    Hi Bernd,

    I have very little visibility of what is happening up there in the cloud so I will have to ask around a bit; I will get back to you.

    Add comment
    10|10000 characters needed characters exceeded

Skip to Content