ENCRYPTKEY= Table Option

Specifies a key value for AES encryption.

Category: Table Control
Restriction: ENCRYPT=AES must be set.
Requirement: This option is required when ENCRYPT=AES is set.
Interaction: You cannot change the key value on an AES encrypted data set without re-creating the data set.
Data source: SAS data set, SPD Engine data set
Note: Check your log after this operation to ensure that the encrypt key values are not visible. For more information, see “Blotting Passwords and Encryption Key Values” in SAS Language Reference: Concepts.
Syntax
Syntax Description
Details
Example
See Also

Syntax

ENCRYPTKEY= key-value

Syntax Description

key-value

assigns an encrypt key value. The key value can be up to 64 bytes long. You are able to create an ENCRYPTKEY= key value with or without quotation marks using the following rules:

no quotation marks

  • alphanumeric characters and underscores only
  • up to 64- bytes
  • uppercase and lowercase letters
  • must start with a letter
  • no blank spaces
  • is not case-sensitive
Example 
encryptkey=key-value
encryptkey=key-value1

single quotation marks

  • alphanumeric, special, and DBCS characters
  • up to 64 bytes
  • uppercase and lowercase letters
  • blank spaces, but not all blank
  • is case-sensitive
Example 
encryptkey='key-value'
encryptkey='1234*#mykey'

double quotation marks

  • alphanumeric, special, and DBCS characters
  • up to 64 bytes
  • uppercase and lowercase letters
  • enables macro resolution
  • blank spaces, but not all blanks
  • is case-sensitive
Example 
encryptkey="key-value"
encryptkey="1234*#mykey"

%let mykey=abcdefghi12;
encryptkey=&key-value
Note When the ENCRYPTKEY= key value uses DBCS characters, the 64-byte limit applies to the character string after it has been transcoded to UTF-8 encoding. You can use the following DATA step to calculate the length in bytes of a key value in DBCS: 
data _null_;
    key=length(unicodec("key-value","UTF8"));
    put "key length=" key;
run;

Details

CAUTION:
Record the key value.
If you forget the ENCRYPTKEY= key value, you lose your data. SAS cannot assist you in recovering the ENCRYPTKEY= key value because the key value is not stored with the data set. The following note is written to the log:
Note: If you lose or forget the ENCRYPTKEY= value, 
there will be no way to open the file or recover the data.
You must use the ENCRYPTKEY= option when you are creating or accessing a SAS data set with AES encryption.
The ENCRYPTKEY= table option does not protect the file from deletion or replacement. Encrypted data sets can be deleted by using any of the following scenarios without having to specify an ENCRYPTKEY= key value:
  • the KILL option in PROC DATASETS
  • the DROP statement in PROC SQL
  • the DELETE procedure
  • the DROP TABLE statement in FedSQL
The ENCRYPTKEY= option only prevents access to the contents of the file. To protect the file from deletion or replacement, the file must also contain an ALTER= password.
The following DATASETS procedure statements require you to specify the ENCRYPTKEY= key value when working with protected files: AGE, AUDIT, APPEND, CHANGE, CONTENTS, MODIFY, REBUILD, and REPAIR statements. 
append base=name data=name(encryptkey=key-value);
run;
The option can be specified either in parentheses after the name of the SAS data file or after a forward slash.
It is possible to use a macro variable as the ENCRYPTKEY= key value. When you specify a macro variable for the ENCRYPTKEY= key value, you must enclose the macro variable in double quotation marks. If you do not use the double quotation marks, unpredictable results can occur. The following example defines a macro variable and uses the macro variable as the ENCRYPTKEY= key value: 
%let secret=myvalue;
create table myschema.dsname {options encrypt=aes encryptkey="&secret"};

Example: Using the ENCRYPTKEY= Option

This example uses the ENCRYPT=AES option to encrypt a SAS data set: 
create table myfiles.salary {options encrypt=aes encryptkey="1234*#mykey"}
   (name char(15),
    yrsal double,
    bonuspct double);
insert into myfiles.salary {option encryptkey="1234*#mykey"} values
    ('Muriel', 34567, 3.2);
insert into myfiles.salary {option encryptkey="1234*#mykey"} values
    ('Bjorn', 74644, 2.5);
insert into myfiles.salary {option encryptkey="1234*#mykey"} values
    ('Freda', 38755, 4.1);
insert into myfiles.salary {option encryptkey="1234*#mykey"} values
    ('Benny', 29855, 3.5);
insert into myfiles.salary {option encryptkey="1234*#mykey"} values
    ('Agnetha', 70998, 4.1);
To retrieve data from the data set, you must specify the Read password:
  select * from myfiles.salary {option encryptkey="1234*#mykey"};

See Also

Table Options:
ENCRYPT= Table Option
Copyright © SAS Institute Inc. All rights reserved.