Encrypting SPD Engine Data Sets

SPD Engine Encryption Overview
SAS Proprietary Algorithm
AES Algorithm

SPD Engine Encryption Overview

Encryption is the transformation of intelligible data (plain text) into an unintelligible form (cipher text) by a mathematical process. The cipher text is translated back into plain text when you apply the appropriate password or ENCRYPTKEY that is necessary for decrypting (unlocking) the cipher text.
Encryption helps protect information on-disk and in-transit:
  • Over-the-wire encryption protects SAS data while in transit.
  • On-disk encryption protects data at rest.
There are two types of algorithms that SAS uses to encrypt SPD Engine data sets at rest:
SAS Proprietary
provided within Base SAS software. This algorithm provides a medium level of security. You use the ENCRYPT=YES data set option to invoke this encryption.
AES (Advanced Encryption Standard)
is a block cipher that encrypts data in blocks of 128 bits by using a 256-bit key. You use SAS/SECURE software, which is included with default Base SAS software. You use the ENCRYPT=AES data set option to invoke this encryption.
SPD Engine Encryption Features
Features
ENCRYPT=YES
ENCRYPT=AES
License required
No
No
Encryption level
Medium
High
Algorithm supported
within Base SAS software
AES
Installation required
No (part of Base SAS software)
No (in SAS/SECURE, which is included with Base SAS software)
Operating environments supported
UNIX
Windows
z/OS
UNIX
Windows
z/OS
SAS version support
8 and later
9.4 and later

SAS Proprietary Algorithm

SAS Proprietary uses a 32-bit fixed encoding and is appropriate only for preventing accidental exposure of information. SAS Proprietary is licensed with Base SAS software and is available in all deployments.

AES Algorithm

The AES algorithm is a block cipher that encrypts data in blocks of 128 bits by using a 256-bit key. It uses SAS/SECURE software, which is included with Base SAS software. For more information about SAS/SECURE, see Encryption in SAS.
Note: AES encryption is not supported for OpenVMS on 64-bit Itanium.
AES encryption, which provides enhanced encryption for SPD Engine data sets, is available in SAS 9.4 and later. The AES algorithm produces a stronger encryption using SAS/SECURE. If you want an encrypted SPD Engine data set, you must use the ENCRYPTKEY= data set option with ENCRYPT=AES when you create the SPD Engine data set.
Note: You cannot change the ENCRYPTKEY= value on an AES-encrypted SPD Engine data set without re-creating the data set.
The following rules apply to AES encryption on SPD Engine data sets:
  • You must use the ENCRYPTKEY= data set option when creating a data set with AES encryption.
  • To copy an AES-encrypted SPD Engine data set, the output engine must support AES encryption. Otherwise, the data set is not copied.
  • Releases before SAS 9.4 cannot use an AES-encrypted SPD Engine data set.
  • If the SPD Engine data sets are AES-encrypted, all associated index files are also AES-encrypted. Metadata files are not AES-encrypted.
For more information, see ENCRYPT= Data Set Option and ENCRYPTKEY= Data Set Option .
Copyright © SAS Institute Inc. All Rights Reserved.