Changing a Metadata-Bound Library’s Encryption Options

Overview

To change the encryption options for a metadata-bound library, use either SAS Management Console or the AUTHLIB procedure.

Requirements

In order to change a library’s encryption options, the following requirements must be met:
  • You must know the current password for the metadata-bound library.
  • The requesting workspace server (or SAS session) must run under an account that has host-layer control of the target physical library. For host-specific details, see Requirement for Host-Layer Control.
  • The requesting workspace server (or SAS session) must connect to the metadata server as an identity that has the ReadMetadata and WriteMetadata permissions to the corresponding secured library object and secured table objects.
    Note: On a secured library object, the WriteMemberMetadata permission (from the parent secured data folder) is inherited as the WriteMetadata permission. See WriteMetadata and WriteMemberMetadata in SAS Intelligence Platform: Security Administration Guide.

GUI Method

Introduction

In SAS Management Console, you change a library’s encryption options by modifying its corresponding secured library object.

Instructions

  1. On the Folders tab in SAS Management Console, beneath a /System/Secured Libraries branch, locate the secured library object that corresponds to the metadata-bound library whose encryption options you want to change.
  2. Right-click the object and select Modify. The Modify Secured Library dialog box appears:
    the modify secured library dialog box
    Refer to the entries in the previous example as you complete steps 3 through 8.
  3. Select the application server that you want to use to update the binding information in the target directory.
    Note: The application server must include a standard workspace server that has host access to the target directory.
  4. Verify that the directory path of the target metadata-bound library is correct.
    Note: The directory path is pre-populated with the most recently referenced path. If any directories in the path have been renamed, be sure to modify the path.
  5. The Automatically purge old library credentials check box is selected by default. This option automatically removes all retained metadata-bound library credentials (passwords or encryption keys) if all tables in the library are successfully modified to use the newer credentials.
    If you want the replaced encryption key to be retained in metadata, then clear the check box. For example, you might want to retain the replaced encryption key so that you can process data sets that are restored from backups taken before the key was replaced. The old encryption key is retained until you use the PURGE statement to remove it, or until you later modify the library with the check box selected.
  6. Supply the current password of the target metadata-bound library.
    Note: If the target metadata-bound library has three distinct passwords, select the Specify multiple passwords check box, so there are three fields in the Password row. Supply all three passwords.
  7. If the library’s data sets are already encrypted using AES encryption and the key is not stored in the library’s metadata, enter the current key in the Encrypt Key field.
    Tip
    The value that you enter is a passphrase of up to 64 characters in length, from which the actual AES encryption key is derived. Most SAS documentation refers to the passphrase as the encryption key.
    Tip
    The key that you enter is placed in quotation marks when it is submitted to SAS and is therefore case sensitive. If the key was originally specified in SAS code without quotation marks, then be sure to use uppercase letters when entering it here.
  8. If you want to require encryption for all tables that are bound to the library, select the Require Encryption check box and select Yes.
    If an AES encryption key was previously stored in the library’s metadata, that key will be used to encrypt every data set that is bound to the library. If you want to use a different key, or if you did not previously store a key, specify the key as described in step 8.
    If you want to require SAS Proprietary encryption, select Encryption Type check box and select SAS Proprietary.
  9. If you want to store an AES encryption key in the library’s metadata or change the value of a previously stored key:
    1. Select the Encryption Type check box and select AES.
    2. Enter an encryption key in the New Encrypt Key and Confirm Encrypt Key fields.
    Tip
    The value that you enter is a passphrase of up to 64 characters in length.
    Tip
    The encryption key is placed in quotation marks when it is submitted to SAS and is therefore case sensitive.
    Tip
    Be sure to keep a record of the encryption key, even though it is stored in metadata.
    If encryption is required, the stored key will be used to encrypt every data set that is bound in the library.
    If encryption is not required, the stored key will be used to re-encrypt every data set that was encrypted using a previously stored key. It will also be used to encrypt new tables when AES encryption is specified in SAS code but no key is supplied.
    Note: If you choose not to require encryption, then you can use the TABLES statement with the code method to specify an encryption key for each table. However, SAS recommends that you store an encryption key in the library’s metadata and use it for all of the library’s metadata-bound data sets that are encrypted with AES.
    CAUTION:
    For AES-encrypted data sets that are referentially related to one another, follow these best practices to ensure that the data does not become inaccessible:
    Store the encryption key in the library’s metadata. You can modify the stored key, but do not remove the key from metadata and do not unbind the library.
  10. Click OK.
  11. In the Modify Secured Library window, click Yes to view the log.
    modify secured library window
    It is strongly recommended that you always check the log for warnings after you perform an action on a secured library object. If the log indicates that some tables were not modified (perhaps because a user was accessing them), repeat the modification when the tables are not being used. When doing so, specify the new encryption key in the Encrypt Key field.
Note: You can remove encryption by selecting an encryption type of None. However, if encryption is currently required, you must use a two-step process. In the first step, select the Require Encryption check box, select No, and select the current encryption type. Click OK to save this change. Then, modify the library again, and select an encryption type of None.

Code Method

As an alternative to using SAS Management Console, you can use the AUTHLIB procedure to modify encryption options. See MODIFY Statement.

Results

After you complete the preceding steps, the tables are re-encrypted using the newly supplied options.
The new AES encryption key is recorded in the metadata and associated with the corresponding secured library object.