ENCRYPTKEY= Data Set Option

Specifies a key value for AES encryption.

Valid in: DATA step and PROC step
Range: 1 to 64 bytes
Restrictions: Use with SAS 9.4 or later only
Use only with AES-encrypted data sets
Syntax
Syntax Description
Details
Example

Syntax

ENCRYPTKEY=key-value

Syntax Description

key-value

assigns an encrypt key value. You must use the ENCRYPTKEY= data set option with ENCRYPT=AES. The key value can be up to 64-bytes long. You are able to create an ENCRYPTKEY= key value with or without quotation marks using the following rules:

no quotation marks
  • alphanumeric characters and underscores only
  • up to 64-bytes
  • uppercase and lowercase letters
  • must start with a letter
  • no blank spaces
  • is not case sensitive
encryptkey=key-value
encryptkey=key-value1
single quotation marks
  • alphanumeric, special, and DBCS characters
  • up to 64-bytes
  • uppercase and lowercase letters
  • is case sensitive
encryptkey='key-value'
encryptkey='1234*#mykey'
double quotation marks
  • alphanumeric, special, and DBCS characters
  • up to 64-bytes
  • uppercase and lowercase letters
  • enables macro resolution
  • is case sensitive
encryptkey="key-value"
encryptkey="1234*#mykey"
%let mykey=abcdefghi12;
encryptkey=&key-value
When the ENCRYPTKEY= key value uses DBCS characters, the 64-byte limit applies to the character string after it has been transcoded to UTF-8 encoding. You can use the following DATA step to calculate the length in bytes of a key value in DBCS: 
data _null_;
    key=length(unicodec('key-value','UTF8'));
    put 'key length=' key;
run;
Note You cannot change the ENCRYPTKEY= key value on an AES-encrypted data set without re-creating the data set.

Details

CAUTION:
You must remember the ENCRYPTKEY= key value.
If you forget the ENCRYPTKEY= key value, you lose your data. SAS cannot assist you in recovering the ENCRYPTKEY= key value.
You must use the ENCRYPTKEY= data set option when creating or accessing an SPD Engine data set with AES encryption.
The ENCRYPTKEY= data set option does not protect the data set from deletion or replacement. Encrypted data sets can be deleted using any of the following scenarios without having to specify a key value:
  • the KILL option in PROC DATASETS
  • the DROP statement in PROC SQL
  • the DELETE procedure
The ENCRYPTKEY= data set option prevents access only to the contents of the data set. To protect the data set from deletion or replacement, the data set must also contain an ALTER= password.
You must specify the ENCRYPTKEY= key value when you copy AES-encrypted data sets. The key value follows the data set name in the SELECT statement. The following example uses the SELECT statement: 
copy in=OldLib out=NewLib; 
	select salary(encryptkey=key-value);
run;
When working with data sets protected by the ENCRYPTKEY= key value in the DATASETS procedure, you can specify the key value in the AGE, APPEND, CONTENTS, and MODIFY statements. The ENCRYPTKEY= data set option can be specified either in parentheses after the name of the SAS data set or after a forward slash.
It is possible to use a macro variable as the ENCRYPTKEY= key value. To use a macro variable, you must use double quotation marks. The following code defines a macro variable: 
%let secret=MyValue;
The following code uses the macro variable as the ENCRYPTKEY= key value: 
data my.dsname(encrypt=aes encryptkey="&secret");
When you specify a macro variable as the ENCRYPTKEY= key value, you must enclose the macro variable in double quotation marks. If you do not use the double quotation marks, unpredictable results can occur.

Example: Using ENCRYPTKEY= Data Set Option

This example uses the ENCRYPT=AES option: 
data spdelib.salary(encrypt=aes encryptkey=green);
   input name $ yrsal bonuspct;
   datalines;
Muriel    34567  3.2
Bjorn     74644  2.5
Freda     38755  4.1
Benny     29855  3.5
Agnetha   70998  4.1
To use this data set, specify the ENCRYPTKEY= key value: 
proc contents data=spdelib.salary(encryptkey=green);
run;
Copyright © SAS Institute Inc. All Rights Reserved.