Skip to Content

Fundamental question: what is the value of Hana encryption to begin with?

Hi all

I saw SAP is recommending Hana DB encryption in all sort of docs. However, I haven't seen any doc that explains the fundamental question: how does the SAP Hana encryption protect the Hana data to begin with?

If a hacker gets access to the Hana data volume, he can access the executable and SSFS keys. That means he can simply copy the encrypted data volume and SSFS keys and restore it to a different machine. Then couldn't he just simply start the Hana DB?

If the data volume isn't encrypted, how can a hacker access the data if he has OS access to the data volume?

Thanks, Jonathan.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Jan 31 at 04:06 AM

    Upfront, I'm not a data security expert and not a hacker. The following is my view on your questions.

    First your last question:

    "If the data volume isn't encrypted, how can a hacker access the data if he has OS access to the data volume?"

    Well, the data volumes are binary files in the file system. It's straightforward to open these files and access their contents. One could e.g. look for strings in the file and find user and object names and table contents. Of course, the data you can retrieve this way doesn't present itself in any reasonable structure and will include outdated versions of data, too, but one can get insights here.

    To your first question:

    "If a hacker gets access to the Hana data volume, he can access the executable and SSFS keys. That means he can simply copy the encrypted data volume and SSFS keys and restore it to a different machine. Then couldn't he just simply start the Hana DB?"

    This is not quite correct. The SSFS master keys are not stored with the data volumes! ( see docs). If an attacker can access the encrypted data volumes, then it doesn't (and shouldn't) mean that also access to the SSFS keys has been gained. So, if the attacker runs off with a copy of the NAS server that hosted the data volumes, then no data access is possible.

    If it, however, does happen that the attacker gains both the data volume files and the SSFS keys, then it is possible to restart the HANA instance which would trigger the decryption. That's essentially what constitutes the normal operation of the system.

    I guess the main idea is that one has to own both the master key files and the matching data volumes to be able to do anything with the database. As usual, once access to one of the underlying operating structures (hardware, OS, hypervisor...) is available, then the security mechanisms can be avoided by gaining the appropriate privileges (e.g. root, su - <sid>adm, ... ).

    All this is about the data volume encryption. Just as for the other types of encryption HANA offers (communication, replication, log files, log and data backup) the main point really is to prevent access to the data without the appropriate permission. Permissions for data access are managed "within" a HANA instance, that also means to prevent access to the data from outside the HANA system (server and clients).

    Does that answer your questions?

    Add comment
    10|10000 characters needed characters exceeded