Considerations for Data File Encryption

Overview

In general, the process for encrypting metadata-bound tables is the same as for encrypting traditional tables, except for the following:
  • The Read password is obtained from the secured library object (in metadata), instead of being supplied in SAS code.
  • Beginning in the first maintenance release for SAS 9.4, AES encryption keys can be obtained from the secured library object (in metadata), instead of being supplied in SAS code.
  • Beginning in the first maintenance release for SAS 9.4, you can specify that encryption is required for the tables in a library. When tables are created or modified, the data is automatically encrypted using the specified method.
The following topics document aspects of data encryption that are specific to metadata-bound libraries.

Using AES Encryption with Metadata-Bound Libraries

When you create or modify a metadata-bound library and specify AES encryption, you can specify an encryption key to be stored in the library’s metadata. The stored key is used to attempt to open the library’s AES-encrypted data sets when no key is supplied by the user. If a table has a different encryption key, it cannot be opened unless the user supplies the correct key.
You can specify that AES encryption is required for the tables in a library. In this case, the stored encryption key is used to encrypt every data set that is bound in the library. You cannot specify different encryption keys for individual tables if encryption is required.
If encryption is not required, the stored key is used to encrypt new tables when AES encryption is specified in SAS code but no key is supplied.
To simplify administration, we strongly recommend that all AES-encrypted tables within a metadata-bound library be encrypted with the same key.

Making Security-Related Changes to an Encrypted Table

When you modify the encryption options for a metadata-bound library or table, a copy-in-place approach is used to re-encrypt any tables that were originally encrypted. For example, this approach is used to apply a new encryption method or a new AES encryption key, to automatically encrypt tables when encryption is required, and to incorporate a new READ password into keys for default SAS encryption.
The following actions occur in the copy-in-place process:
  1. The original table is renamed to the reserved data set name __TEMP_ENCRYPT_FILE_NAME__.
  2. The temporary table is copied back to the original table name (which causes the data to be re-encrypted).
    Note: In order for this step to be completed, the metadata-layer Create Table and Alter Table permissions are required.
  3. The temporary table (__TEMP_ENCRYPT_FILE_NAME__) is deleted.
The preceding process occurs automatically when it is needed. No action on your part is required.