Considerations for Data File Encryption

Encrypting Metadata-Bound Data

The process for encrypting metadata-bound tables is the same as for encrypting traditional tables, except that the Read password is obtained from the secured library object (in metadata). The password is not supplied in SAS code.
See “SAS Data File Encryption” in Chapter 34 of SAS Language Reference: Concepts.

Changing Encrypted Table Passwords

No Direct Changes

Nobody can directly change or remove the password on encrypted tables in a metadata-bound library.

Suggested Process

If you need to change the password on a metadata-bound library that contains encrypted tables, use a process such as the following:
  1. Use SAS code to create a copy of the encrypted physical tables with the new password, in a separate directory. You can use the OVERRIDE option of the COPY procedure to set the new password.
  2. Delete the original physical tables from the original library, using either a host delete command or the KILL option of the DATASETS procedure.
  3. Change the password on the original library to the new value, using the MODIFY statement of the AUTHLIB procedure.
  4. Use SAS to copy the physical tables back to the original library.
  5. Delete the copy of the physical tables that you created in step 1.

Integrity Constraints

If there are referential integrity constraints in any of the tables, adjust the preceding process as follows:
  • Specify CONSTRAINT=YES in step 1 and step 4.
  • Either remove the constraints (delete the foreign keys) before performing step 2, or use a host delete command in step 2.
Tip
If only a few of the tables are encrypted, and none of those tables have integrity constraints, consider using SELECT statements in steps 1 and 4 (instead of making adjustments as indicated in the preceding list).

Example

For example, the following code fragment performs steps 1 through 4 of the suggested process. In this example, X is the encrypted library, B is a table that has referential integrity constraints, and FKB is a foreign key within table B.
proc copy in=x out=emptydir override=(pw=secret2) constraint=yes;
run;

proc datasets library=x;
  modify b;
  ic delete fkb;
run;
quit;

proc datasets library=x kill;
run;

proc authlib library=x;
  modify pw=secret/secret2;
run;
quit;

proc copy in=emptydir out=x constraint=yes;
run;
To complete the process (step 5), the following code fragment deletes the copy of the physical tables from the WORK library.
proc datasets library=emptydir;
   modify b(pw=secret2);
   ic delete fkb;
run;
quit;

proc datasets library=emptydir kill pw=secret2;
run;