ENCRYPTKEY= Table Option

Specifies a key value for AES encryption.

Category: Table Control
Interaction: Required for use with ENCRYPT=AES in the CREATE TABLE statement
Data source: SAS data set, SPD Engine data set, SPD Server table
Notes: Check your log after this operation to ensure that the encrypt key values are not visible. For more information, see “Blotting Passwords and Encryption Key Values” in SAS Language Reference: Concepts.
You cannot change the key value on an AES encrypted data set without re-creating the data set.
Syntax
Syntax Description
Details
Example
See Also

Syntax

ENCRYPTKEY= key-value

Syntax Description

key-value

specifies an encrypt key value. When encrypting a data set, you are able to create an ENCRYPTKEY= key value that can be up to 64 bytes long. The ENCRYPTKEY= value can be created with or without quotation marks using the following rules:

no quotation marks

  • alphanumeric characters and underscores only
  • up to 64- bytes
  • uppercase and lowercase letters
  • must start with a letter
  • no blank spaces
  • is not case-sensitive
Example 
encryptkey=key_value_1234

single quotation marks

  • alphanumeric, special, and DBCS characters
  • up to 64 bytes
  • uppercase and lowercase letters
  • blank spaces, but not all blank
  • is case-sensitive
Example 
encryptkey='key-value'
encryptkey='1234*#mykey'

double quotation marks

  • alphanumeric, special, and DBCS characters
  • up to 64 bytes
  • uppercase and lowercase letters
  • enables macro resolution
  • blank spaces, but not all blanks
  • is case-sensitive
Example 
encryptkey="key-value"
encryptkey="1234*#mykey"

%let mykey=abcdefghi12;
encryptkey=&key-value
Note When the ENCRYPTKEY= key value uses DBCS characters, the 64-byte limit applies to the character string after it has been transcoded to UTF-8 encoding. You can use the following DATA step to calculate the length in bytes of a key value in DBCS: 
data _null_;
    key=length(unicodec("key-value","UTF8"));
    put "key length=" key;
run;

Details

CAUTION:
When using ENCRYPTKEY= to encrypt a data set, record the key value.
If you forget the ENCRYPTKEY= key value, you lose your data. SAS cannot assist you in recovering the ENCRYPTKEY= key value because the key value is not stored with the data set.
You must use the ENCRYPTKEY= option when you are creating or accessing a SAS data set or SPD Engine data set with AES encryption. You cannot use the FedSQL language to create an SPD Server table with AES encryption. However, you can access an existing SPD Server table that has AES encryption by specifying its encryption key value with ENCRYPTKEY=.
The ENCRYPTKEY= table option does not protect the file from deletion or replacement. Encrypted data sets can be deleted by using any of the following scenarios without having to specify an ENCRYPTKEY= key value:
  • the KILL option in PROC DATASETS
  • the DROP statement in PROC SQL
  • the DELETE procedure
  • the DROP TABLE statement in FedSQL
The ENCRYPTKEY= option prevents access to the contents of the file. To protect the file from deletion or replacement, the file must also contain an ALTER= password.
The following DATASETS procedure statements require you to specify the ENCRYPTKEY= key value when working with protected files: AGE, AUDIT, APPEND, CHANGE, CONTENTS, MODIFY, REBUILD, and REPAIR statements. 
append base=name data=name(encryptkey=key-value);
run;
The option can be specified either in parentheses after the name of the SAS data file or after a forward slash.
It is possible to use a macro variable as the ENCRYPTKEY= key value. When you specify a macro variable for the ENCRYPTKEY= key value, you must enclose the macro variable in double quotation marks. If you do not use the double quotation marks, unpredictable results can occur. The following example defines a macro variable and uses the macro variable as the ENCRYPTKEY= key value: 
%let secret=myvalue;
create table myschema.dsname {options encrypt=aes encryptkey="&secret"};

Example: Using the ENCRYPTKEY= Option

This example uses the ENCRYPT=AES option to encrypt a SAS data set: 
create table myfiles.salary {options encrypt=aes encryptkey="1234*#mykey"}
   (name char(15),
    yrsal double,
    bonuspct double);
insert into myfiles.salary {option encryptkey="1234*#mykey"} values
    ('Muriel', 34567, 3.2);
insert into myfiles.salary {option encryptkey="1234*#mykey"} values
    ('Bjorn', 74644, 2.5);
insert into myfiles.salary {option encryptkey="1234*#mykey"} values
    ('Freda', 38755, 4.1);
insert into myfiles.salary {option encryptkey="1234*#mykey"} values
    ('Benny', 29855, 3.5);
insert into myfiles.salary {option encryptkey="1234*#mykey"} values
    ('Agnetha', 70998, 4.1);
To retrieve data from the data set , you must specify ENCRYPTKEY= and the password:
  select * from myfiles.salary {option encryptkey="1234*#mykey"};

See Also

Table Options:
ENCRYPT= Table Option
Copyright © SAS Institute Inc. All Rights Reserved.
Last updated: February 23, 2017