AUTHLIB Procedure

Example 12: Binding a Library with an Optional Recorded Encryption Key When Existing AES-Encrypted Data Sets Have Different Encryption Keys

Features:
PROC AUTHLIB statement options:
CREATE statement options:
ENCRYPT=
ENCRYPTKEY=
PW=
SECUREDLIBRARY=
SECUREDFOLDER=
TABLES statement options:
ENCRYPT=
ENCRYPTKEY=

Details

This example demonstrates how to bind a library with an optional recorded encryption key. None of the data sets have passwords.
Since some SAS code existed that created and references the EmpInfo data set with ENCRYPTKEY=DEF and since the recorded library key is not required, the specification of the ENCRYPTKEY=DEF should be removed from the code. Any code that re-creates the data must keep the ENCRYPT=AES option so that the optional recorded key is used when the data set is re-created.

Program

proc authlib lib=abcde; 
    create securedlibrary="ABCDEEmps"
        securedfolder="Department XYZZY" 
        pw=secret 
        encrypt=aes
        encryptkey=optionalkey;
 
    tables employee;
    tables empinfo / 
        encryptkey=def/optionalkey 
        encrypt=aes;
    tables deptname;
run;
quit;
 

Program Description

Library ABCDE has Employees, EmpInfo, and DeptName data sets. In this library, the EmpInfo data set is AES-encrypted and has the ENCRYPTKEY= value def.
proc authlib lib=abcde; 
Using the CREATE statement, enter the name of the metadata folder and name the secured library object in the SAS Metadata Server.The optional encrypt key is specified for the metadata-bound library.
    create securedlibrary="ABCDEEmps"
        securedfolder="Department XYZZY" 
        pw=secret 
        encrypt=aes
        encryptkey=optionalkey;
 
A TABLES statement is required for each data set.
    tables employee;
    tables empinfo / 
        encryptkey=def/optionalkey 
        encrypt=aes;
    tables deptname;
run;
quit;
Results:The ABCDE library is bound and the optional encrypt key is stored. When the statements are executed, the following happens to the three data sets. The Employee data set is updated with the new metadata-bound library password but is not encrypted. The DeptName data set is updated with the metadata-bound library password but is not encrypted. The EmpInfo data set is copied to re-encrypt with the optional recorded key and gets the new metadata-bound library password. Note that it is necessary to supply both the current and new optional key in the TABLES statement for EmpInfo in the following program. Without the new key specification, the data set would remain encrypted with the def key.
 

Log Examples

Changing an Encryption Key Value to the Recorded Encryption Key
467  libname abcde "c:\lib1";
NOTE: Libref ABCDE was successfully assigned as follows:
      Engine:        V9
      Physical Name: c:\lib1
468
469  proc authlib lib=abcde;
470  create securedlibrary="ABCDEEmps"
471  securedfolder="Department XYZZY"
472  pw=XXXXXX
473  encrypt=aes
474  encryptkey=XXXXXXXXXXX;
475  tables employee;
476  tables empinfo /
477  encryptkey=XXX/XXXXXXXXXXX 
478  encrypt=aes;
479  tables deptname;
480  run;

NOTE: Successfully created a secured library object for the physical library ABCDE and recorded its location as:
           SecuredFolder:      /System/Secured Libraries/Department XYZZY
           SecuredLibrary:     ABCDEEmps
           SecuredLibraryGUID: 8E683650-B306-4871-A92D-16D481EC6456
NOTE: Successfully added new secured table object "EMPLOYEE.DATA" to the secured library object at path "/System/Secured
      Libraries/Department XYZZY/ABCDEEmps" for data set ABCDE.EMPLOYEE.DATA.
NOTE: The passwords on ABCDE.EMPLOYEE.DATA were successfully modified.
NOTE: Copying data set ABCDE.EMPINFO in place to encrypt with the new secured library passwords or encryption options.
NOTE: Renaming the data set ABCDE.EMPINFO to ABCDE.__TEMP_ENCRYPT_FILE_NAME__.
NOTE: Copying the data set ABCDE.__TEMP_ENCRYPT_FILE_NAME__ to ABCDE.EMPINFO.
NOTE: Metadata-bound library permissions are used for ABCDE.EMPINFO.DATA.
NOTE: Successfully added new secured table object "EMPINFO.DATA" to the secured library object at path "/System/Secured
      Libraries/Department XYZZY/ABCDEEmps" for data set ABCDE.EMPINFO.DATA.
NOTE: There were 5 observations read from the data set ABCDE.__TEMP_ENCRYPT_FILE_NAME__.
NOTE: The data set ABCDE.EMPINFO has 5 observations and 6 variables.
NOTE: Deleting the data set ABCDE.__TEMP_ENCRYPT_FILE_NAME__.
NOTE: The passwords on ABCDE.EMPINFO.DATA were successfully modified.
NOTE: Successfully added new secured table object "DEPTNAME.DATA" to the secured library object at path "/System/Secured
      Libraries/Department XYZZY/ABCDEEmps" for data set ABCDE.DEPTNAME.DATA.
NOTE: The passwords on ABCDE.DEPTNAME.DATA were successfully modified.
480  quit;