ENCRYPTKEY= Data Set Option

Specifies a key value for AES (Advanced Encryption Standard) encryption.

Valid in: DATA step and PROC steps
Category: Data Set Control
Range: 1 to 64 bytes
Restrictions: Use with SAS 9.4 or later only.
Use only with AES-encrypted data files.
Note: Check your log after this operation to ensure encryption key security. For more information, see Blotting Passwords and Encryption Key Values in SAS Language Reference: Concepts.

Syntax

ENCRYPTKEY=key-value

Syntax Description

key-value

assigns an encrypt key value. You must specify the ENCRYPTKEY= data set option when you are using ENCRYPT=AES. The key value can be up to 64 bytes long. To create an ENCRYPTKEY= key value with or without quotation marks, follow these rules:

No quotation marks:

  • use alphanumeric characters and underscores only
  • can be up to 64 bytes long
  • use uppercase and lowercase letters
  • must start with a letter
  • cannot include blank spaces
  • is not case sensitive
%let mykey=abcdefghi12;
encryptkey=&mykey
encryptkey=key_value
encryptkey=key_value1

Single quotation marks:

  • use alphanumeric, special, and DBCS characters
  • can be up to 64 bytes long
  • use uppercase and lowercase letters
  • can include blank spaces, but cannot contain all blanks
  • is case sensitive
encryptkey='key_value'
encryptkey='1234*#mykey'

Double quotation marks:

  • use alphanumeric, special, and DBCS characters
  • can be up to 64 bytes long
  • use uppercase and lowercase letters
  • can include blank spaces, but cannot contain all blanks
  • is case sensitive
encryptkey="key_value"
encryptkey="1234*#mykey"
%let mykey=Abcdefghi12;
encryptkey="&mykey"

When the ENCRYPTKEY= key value uses DBCS characters, the 64-byte limit applies to the character string after it has been transcoded to UTF-8 encoding. You can use the following DATA step to calculate the length in bytes of a key value in DBCS:

data _null_;
    key=length(unicodec('key-value','UTF8'));
    put 'key length=' key;
run;
Interaction You cannot change the key value on an AES-encrypted data set without re-creating the data set.

Details

CAUTION:
Record all ENCRYPTKEY= values when you are using ENCRYPT=AES.
If you forget to record the ENCRYPTKEY= value, you lose your data. SAS cannot assist you in recovering the ENCRYPTKEY= value.
You must use the ENCRYPTKEY= option when you are creating or accessing a SAS data set with AES encryption.
The ENCRYPTKEY= data set option does not protect the file from deletion or replacement. Encrypted data sets can be deleted using any of the following scenarios without specifying an ENCRYPTKEY= key value:
  • the KILL option in PROC DATASETS
  • the DROP statement in PROC SQL
  • the DELETE procedure
The ENCRYPTKEY= option only prevents access to the contents of the file. To protect the file from deletion or replacement, the file must also contain an ALTER= password.
You must specify the ENCRYPTKEY= key value when you copy AES-encrypted data files. The value follows the data set name in the SELECT statement. The following example uses the SELECT statement:
copy in=OldLib out=NewLib; 
	select salary(encryptkey=key-value);
run;
When working with data files that are protected with the ENCRYPTKEY= key value in the DATASETS procedure, you can specify the value in the AGE, APPEND, AUDIT, CONTENTS, MODIFY, REBUILD, and REPAIR statements. You must also specify the value when the CHANGE statement refers to a specific generation data set by using a relative reference to the value:
change OldName(gennum=-1 encryptkey=key-value)=NewName;
run;
The option can be specified either in parentheses after the name of the SAS data file or after a forward slash.
CAUTION:
When you are using referential integrity constraints,all primary key and foreign key data files that reference each other must use the same encryption key.
For more information, see “Encryption and Integrity Constraints” in SAS Language Reference: Concepts.
You can use a macro variable as the ENCRYPTKEY= key value. The following code defines a macro variable:
%let secret=myvalue;
The following code uses the macro variable as the ENCRYPTKEY= key value:
data my.dsname(encrypt=aes encryptkey="&secret");
When you specify a macro variable for the ENCRYPTKEY= key value, you must enclose the macro variable in double quotation marks. If you do not use double quotation marks, unpredictable results can occur.

Example: Using the ENCRYPTKEY= Option

This example uses the ENCRYPT=AES option:
data salary(encrypt=aes encryptkey=green);
   input name $ yrsal bonuspct;
   datalines;
Muriel    34567  3.2
Bjorn     74644  2.5
Freda     38755  4.1
Benny     29855  3.5
Agnetha   70998  4.1
To use this data set, specify the ENCRYPTKEY= key value:
proc contents data=salary(encryptkey=green);
run;

See Also

SAS Data File Encryption in SAS Language Reference: Concepts