SAP HANA 2.0 Data Storage Security

SAP HANA 2.0 Data Storage Security

Data and Redo log Encryption
To protect information saved to disk from unauthorized access at OS level, the SAP HANA 2.0 database supports data encryption in the persistence layer. Data volume encryption protects the data area on disk, while redo log encryption protects the log area on disk. Dynamic Tiering (DT) data volumes are also encrypted if SAP HANA data volume encryption is enabled.

Data and Log Volume Encryption
If database data volumes are encrypted, all pages that reside in the data area on disk are encrypted using the AES-256-CBC algorithm. Page is transparently decrypted as a part of the load method into memory. When pages reside in memory they're thus not encrypted and there is no performance overhead for in-memory page accesses. When changes to database are persisted to disk, the relevant pages are automatically encrypted as part of the write operation.

If redo logs are encrypted, log entries are encrypted using the AES-256-CBC algorithm before they are written to disk. Log entries are encrypted and decrypted using a 256-bit long root key, which is generated randomly during installation.

During start-up, administrator interaction is not required. The data volume encryption and redo log root keys are stored using the secure storage in the file system functionality of the instance (instance SSFS) and are automatically retrieved from there.

SAP HANA uses the instance SSFS to protect the encryption root keys that are used to protect encryption keys or persistent data in the SAP HANA system from unauthorized access. All root keys are encrypted using the SSFS master key.

Backup Encryption
SAP HANA supports native backup encryption. Database Backup provide the encryption safeguards the privacy of the SAP HANA business data by preventing unauthorized parties from reading the content of backups.

Backup encryption is independent of Data volume encryption. To encrypt data and log backups, backup encryption must be enabled.