The security functions in SAP HANA include the following features:
SAP HANA provides security features that enable you to implement different security policies and meet compliance requirements.
Depending on the implementation scenario in which SAP HANA is used, only some of these features might be needed; others might be provided in other architecture layers.
SAP HANA supports standard interfaces so that the customer security network and data center infrastructures can be integrated.
Server-Side Secure Stores
SAP HANA uses the configured secure store, that is, either the instance SSFS (secure store in the file system) or the local secure store (LSS), to protect the root keys used for all data-at-rest encryption services and the internal application encryption service. It uses the system PKI SSFS to protect the system-internal root certificates required for secure internal communication.
Instance Secure Stores in the File System (SSFS)
The instance SSFS (secure store in the file system) is a single file in the local file system that hosts the encryption keys for all tenants. It is the default secure store.
SAP HANA includes encryption services for encrypting data at rest. It also has an internal encryption service for applications with data encryption requirements. SAP HANA uses the secure store in the file system (SFFS) functionality to protect all encryption root keys.
SAP HANA uses two secure stores in the file system: the instance SSFS, and the system PKI SSFS. The instance SSFS protects the root keys used for all data-at-rest encryption services and the internal application encryption service. The system PKI SSFS protects system-internal root certificates that are required for secure internal communication.
SAP HANA uses the instance SSFS to protect the following encryption root keys:
The root key used for data volume encryption
The root key used for redo log encryption
The root key used for the internal application encryption service of the database
The password of the root key backup
Encryption configuration information
These root keys protect all encryption keys and data used in the SAP HANA database from unauthorized access.
Note
The application encryption root key is used by the secure internal credential store. This is needed in some scenarios, such as smart data access, to store additional user credentials securely (for example, for access to remote systems).
To prevent data encrypted in the SAP HANA database from becoming inaccessible, the content of the instance SSFS and key information in the database must remain consistent. If this is not the case, for example, if the instance SSFS becomes corrupted, the database issues an alert (check 57). Contact SAP Support to resolve these issues.
The page encryption keys used for data volume encryption are encrypted themselves by the data volume encryption root key. The root key is generated randomly during installation. The page keys are created when data volume encryption is enabled.
This secure store, which is used by SAP HANA to store internal root keys, is protected by the SSFS master key. To support automatic unattended startup of the SAP HANA system, the key store and the SSFS master key are stored on the file system. They are protected by operating system permissions, which require operating system access with the <sid>adm operating system user.
Local Secure Store (LSS)
The LSS is a separate lightweight utility that runs as a separate service on the SAP HANA server under a different operating system user (<sid>crypt), in order to strictly separate duties on operating system level. It stores and securely manages encryption keys, encryption root keys, and other similar sensitive data and helps in this way to protect server-side sensitive data from illegitimate usage.
The local secure store uses tenant-specific files and ensures that LSS clients have unattended access to the encryption root keys, which are needed for certain processes, such as automated starts (or restarts). Secured communication channels ensure that LSS verifies each client by using an allowlist to determine the exact identity.
Note
More information for the activation and usage of the local secure store (LSS) can be retrieved from the SAP HANA Security Guide for SAP HANA Platform
There, you can also find further information related to key management services (KMS) and hardware security modules (HSM).
