Skip to Content

Does HANA encryption protects data if Virtual Machine stolen or copied?

Hi Dear Experts!

By order our security team we need to enable encryption on ERP system.

ERP 6.0 SPS8 (NW 7.5) on HANA 2.0 SPS3.

We plan to enable encryption on HANA database, namely:

a) Data volume encryption

b) Log encryption

c) Backup encryption (data backups+ archived redo logs)

Please tell me -

1) Is there any problems if we enable encryption only on production database? (example with trans request and etc. created in DEV (not encrypted HANA DB))

2) What if hacker or cloud administrator may steal whole Virtual Machine (DB and Applic. server SAP) or restore from VM backup (WHOLE VM, I'm not talking about DB backups), --

he can to "open"/"decrypt" data from that stolen VM copy? (example just start SAP)

3) If question 2 is "YES", how can we secure\protect is this case???


Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

2 Answers

  • Apr 26 at 01:03 PM

    Hi Daulet,

    Please do refer to the following for a brief overview on HANA security:

    SAP HANA Security

    With respect to your questions:

    1. If you're non production environment is a clone of production it would be encrypted and would require the key to operate a good practice would be to create a new key for non production. Please refer to the following SAP note on encryption keys and cloning: 2134846

    2. I am assuming that in addition to the VM the underlying storage is stolen too? As just stealing the VM would perhaps only give you the operating system binaries? The HANA software, data, log and backup volumes one would assume resides on other mount points and perhaps part of different storage system?

    So assuming someone manages to steal it all, well then - since master and root keys for the HANA VM required for data encryption reside in this VM (Essentially the Instance SSFS & System PKI SSFS, You would need to secure the VM and the underlying guest operating system. Look into perhaps encrypting important files on the operating system with a encryption software that supports the use of Hardware Security Modules - that allows the keys to be stored outside on the VM and general storage system itself. Also depending on what technology you use for virtualization, for example with VMWARE/VSphere refer to the following where the keys required for the process do not all get stored on the guest host:

    How VSphere Encryption Protects Your Environment

    Hope that helps.



    Add comment
    10|10000 characters needed characters exceeded

    • Thanks Naqi,

      It's not very good for us.

      Can you tell me, how often SAP HANA uses SSF&SYSTEM PKI SSFS (root keys.. etc.)? Only on start DB? Or at any time?

      If only on start, we can move keys after start to another secure place?

      Example we just start DB then move (not copy) Keys to secure place.

  • May 03 at 09:01 AM

    Hi Daulet,

    You can change the location of the keys from the default location, but it would need to reside on some location accessible by the database. The HANA documentation will detail how to do that.

    Also have a look at Client Side Data Encryption, which will use columnar encryption - here you will need to selectively decide which columns in the tables require encryption. Also this type of encryption will only allow access to view the data from the client that has the key.

    Client Side Data Encryption

    Add comment
    10|10000 characters needed characters exceeded