SAP Adaptive Server Enterprise (SAPASE) authentication and access control mechanisms ensure that only properly identified and authorized users can access data. Data encryption further protects sensitive data against theft and security breaches.
Encrypt entire databases, or only columns, depending on your needs.
The SAP ASE encryption feature enables you to encrypt data that is at rest, without changing your applications. This native support provides the following capabilities:
Use of a symmetric, National Institute of Standards and Technology (NIST)-approved algorithm: Advanced Encryption Standard (AES)
Performance optimization
Enforced separation of duties
Fully integrated and automatic key management
Application transparency: no application changes are needed
Data privacy protection from the power of the system administrator
Data encryption and decryption is automatic and transparent. If you have insert or update permission on a table, any data you insert or modify is automatically encrypted prior to storage. Daily tasks are not interrupted.
Selecting decrypted data requires decrypt permission in addition to select permission. decrypt permission can be granted to specific database users, groups, or roles. SAP gives you more control by providing you with granular access capability to sensitive data. SAP also automatically decrypts selected data for users with decrypt permission.
System-level user-supplied password
KEK derived from a user-supplied password (which can be the user’s login password)
Separately created database-level KEK (master key or dual master key)
When data is encrypted, it is stored in an encoded form called “cipher text.” Cipher text increases the length of the encrypted column from a few bytes to 32 extra bytes. Unencrypted data is stored as plain text.
Column and database encryption uses a symmetric encryption algorithm, which means that the same key is used for encryption and decryption. SAP ASE tracks the key that encrypts the data.
Install the license option ASE_ENCRYPTION. See the SAP ASE Installation Guide.
sp_configure 'enable encrypted columns', 1
Depending on the method you chose to protect encryption keys, create a database-level master key or set the system encryption password.
Create one or more named encryption keys. Consider using passwords to protect data even from the database administrator.
Specify the data for encryption.
Grant decrypt permission to users who must see the data. You may choose to specify a default plain text value known as a “decrypt default.” The SAP ASE returns this default, instead of the protected data, to users who do not have decrypt permission.
Use SAP Control Center or SAP Central SAP ASE Plug-in to manage encrypted data using a graphical interface. See the online help.
Use the bulk copy utility (bcp) to securely copy encrypted data in and out of the server. See the Utility Guide.
Use the SAP ASE migration tool sybmigrate to securely migrate data from one server to another. See the SAP ASE System Administration Guide.
Use SAP Replication Server to securely distribute encryption keys and data across servers and platforms. See the Replication Server Administration Guide for information on encryption when replicating.