Data Volume and Redo Log Encryption
To protect data saved to disk from unauthorized access at the operating system level, the SAP HANA database supports data encryption in the persistence layer. Data volume encryption protects the data area on disk, while redo log encryption protects the log area on disk. SAP HANA data and log backups can be encrypted too.
The SAP HANA database holds most of its data in-memory for maximum performance. However, it still uses persistent disk storage as a fallback in case of failure. During normal operation, data is automatically saved from memory to disk at regular savepoints. Additionally, all data changes are captured in redo log entries. A redo log entry is written to disk with each committed database transaction. After a power failure, SAP HANA can be restarted like any disk-based database. It returns to its last consistent state by replaying the redo log entries since the last savepoint.
Secure Communication – Encryption of data communication in the network
Network traffic can be encrypted using Transport Layer Security (TLS), both between the SAP HANA database and clients, as well as between hosts in a distributed SAP HANA system.
Encryption of the data persistence layer
The SAP HANA database can encrypt data at rest.
Encryption works at the page level and uses the AES256 encryption algorithm.
A cryptographic service provider on the server offers the following functions:
The configuration of secure communication using TLS
The encryption of the persistence layer
SAP HANA supports the following cryptographic libraries:
CommonCryptoLib (libsapcrypto.so) is installed by default as part of the SAP HANA server installation at
The OpenSSL library is installed by default as part of the operating system installation. In most cases, you can use OpenSSL instead of CommonCryptoLib. However, there are some features in SAP HANA that are only supported by CommonCryptoLib; future features might also only be supported by CommonCryptoLib. For more information, see SAP Note 2093286.
Data Rest Encryption
Data volume, redo logs and backups (data and log) can be encrypted as follows:
Data Volume Encryption
If data volumes are encrypted, all pages that reside in the data area on disk are encrypted using the AES-256-CBC algorithm. Pages are transparently decrypted as part of the load process into memory. When pages reside in-memory, they are therefore not encrypted, and there is no performance overhead for in-memory page accesses. When changes to data are persisted to disk, the relevant pages are automatically encrypted as part of the write operation.
Pages are encrypted and decrypted using 256-bit page encryption keys. Page keys are valid for a certain range of savepoints and can be changed by executing SQL statements. After data volume encryption is enabled, an initial page key is automatically generated. Page keys cannot be read in plain text, but are encrypted themselves with a dedicated data volume encryption root key. This key is generated randomly during installation.
Redo Log Encryption
If redo logs are encrypted, log entries are encrypted using the AES-256-CBC algorithm before they are written to disk. Log entries are encrypted and decrypted using a 256-bit long root key, which is generated randomly during installation.
Switch on backup encryption and all subsequent data backups, delta backups, and log backups will be encrypted. Note that data snapshots are not encrypted unless data volume encryption is enabled.
During start up, administrator interaction is not required. The data volume encryption, redo log and backup encryption root keys are stored using the secure storage in the file system (SSFS) functionality, and are automatically retrieved from there.
SAP HANA allows you to encrypt data volumes and redo logs independently of each other. However, if you require full protection in the persistence layer, you should enable both.
Enabling encryption does not increase data size.
SAP HANA uses the SSFS instance to protect the encryption root keys from unauthorized access. These root keys protect all encryption keys used in the SAP HANA system, and are encrypted using the SSFS master key.
The persistence encryption feature does not encrypt the database traces.
For security reasons, do not run the system with extended tracing for more than short-term analysis. This is because tracing might expose security-relevant data that is encrypted in the persistence layer, but not in the trace. Therefore, do not keep such trace files on disk beyond the respective analysis task.