Overview of Encryption

SAP Adaptive Server Enterprise (SAPASE) authentication and access control mechanisms ensure that only properly identified and authorized users can access data. Data encryption further protects sensitive data against theft and security breaches.

Encrypt entire databases, or only columns, depending on your needs.

While both encrypted columns and fully encrypted databases allow you to comply with security and privacy requirements, the different usages may make one feature easier to deploy than the other. Consider using:

Encrypt columns when you can easily identify which columns contain sensitive data.
Encrypt databases when you must perform range searches over sensitive data columns, and when you lack the knowledge of the data model and cannot identify sensitive data columns (for example, in packaged applications that include thousands of tables). In addition, the definition of sensitive data (such as personal information) differs among different locations (such as states or countries); encrypting an entire database can allow you to satisfy these various data security requirements.

The SAP ASE encryption feature enables you to encrypt data that is at rest, without changing your applications. This native support provides the following capabilities:

Fully encrypt databases
Column-level granularity
Use of a symmetric, National Institute of Standards and Technology (NIST)-approved algorithm: Advanced Encryption Standard (AES)
Performance optimization
Enforced separation of duties
Fully integrated and automatic key management
Application transparency: no application changes are needed
Data privacy protection from the power of the system administrator

Data encryption and decryption is automatic and transparent. If you have insert or update permission on a table, any data you insert or modify is automatically encrypted prior to storage. Daily tasks are not interrupted.

Selecting decrypted data requires decrypt permission in addition to select permission. decrypt permission can be granted to specific database users, groups, or roles. SAP gives you more control by providing you with granular access capability to sensitive data. SAP also automatically decrypts selected data for users with decrypt permission.

Encryption keys are stored in the database in encrypted form. You can encrypt an encryption key using a key encryption key (KEK) derived from a

System-level user-supplied password
KEK derived from a user-supplied password (which can be the user’s login password)
Separately created database-level KEK (master key or dual master key)

The password you select reflects your ability to preserve data privacy, even from system administrators. You may choose to protect your column encryption key using dual-control mode to increase the security.

When data is encrypted, it is stored in an encoded form called “cipher text.” Cipher text increases the length of the encrypted column from a few bytes to 32 extra bytes. Unencrypted data is stored as plain text.

Column and database encryption uses a symmetric encryption algorithm, which means that the same key is used for encryption and decryption. SAP ASE tracks the key that encrypts the data.

Generally, using data encryption requires these steps:

Install the license option ASE_ENCRYPTION. See the SAP ASE Installation Guide.
The system security officer (SSO) enables encryption in SAP ASE:
```
sp_configure 'enable encrypted columns', 1
```
Depending on the method you chose to protect encryption keys, create a database-level master key or set the system encryption password.
Create one or more named encryption keys. Consider using passwords to protect data even from the database administrator.
Specify the data for encryption.
Grant decrypt permission to users who must see the data. You may choose to specify a default plain text value known as a “decrypt default.” The SAP ASE returns this default, instead of the protected data, to users who do not have decrypt permission.

Once you perform these steps, you can run your existing applications against your existing databases, tables and columns, but now the data is securely protected against theft and misuse. SAP ASE utilities and other SAP products can process data in encrypted form, protecting your data throughout the enterprise. For example, you can:

Use SAP Control Center or SAP Central SAP ASE Plug-in to manage encrypted data using a graphical interface. See the online help.
Use the bulk copy utility (bcp) to securely copy encrypted data in and out of the server. See the Utility Guide.
Use the SAP ASE migration tool sybmigrate to securely migrate data from one server to another. See the SAP ASE System Administration Guide.
Use SAP Replication Server to securely distribute encryption keys and data across servers and platforms. See the Replication Server Administration Guide for information on encryption when replicating.