-
On the
Folders tab
in SAS Management Console, beneath a
/System/Secured
Libraries
branch, locate the secured library object that corresponds to the metadata-bound
library whose encryption options you want to change.
-
Right-click the object
and select
Modify. The
Modify
Secured Library dialog box appears:
Refer to the entries
in the previous example as you complete steps 3 through 8.
-
Select the application
server that you want to use to update the binding information in the
target directory.
Note: The application server must
include a standard workspace server that has host access to the target
directory.
-
Verify that the directory path of the target metadata-bound library is correct.
Note: The directory path is pre-populated
with the most recently referenced path. If any directories in the
path have been renamed, be sure to modify the path.
-
The
Automatically
purge old library credentials check box is selected by default. This option automatically removes all retained
metadata-bound library credentials (passwords or encryption keys) if all tables in
the library are successfully modified to use the newer credentials.
If you want the replaced encryption key to be retained in metadata, then clear the
check box. For example, you might
want to retain the replaced encryption key so that you can process data sets that
are restored from backups taken before the key was replaced. The old encryption key
is retained until you use the PURGE
statement to remove it, or until you later modify the library with the check box selected.
-
Supply the current password of the target metadata-bound library.
Note: If the target metadata-bound
library has three distinct passwords, select the Specify
multiple passwords check box, so there are three fields
in the Password row. Supply all three passwords.
-
If the library’s data sets are already encrypted using AES encryption and the key
is not stored in the library’s metadata, enter the current key in the
Encrypt Key field.
Tip
The value that you enter is
a passphrase of up to 64 characters in length, from which the actual
AES encryption key is derived. Most SAS documentation refers to the
passphrase as the encryption key.
Tip
The key that you enter is
placed in quotation marks when it is submitted to SAS and is therefore
case sensitive. If the key was originally specified in SAS code without
quotation marks, then be sure to use uppercase letters when entering
it here.
-
If you want to require encryption for all tables that are bound to the library, select
the
Require
Encryption check box and select
Yes.
If an AES encryption key was previously stored in the library’s metadata, that key
will be used to encrypt
every
data set that is bound to the library. If you want to use a different key, or if you did not
previously store a key, specify the key as described in step 8.
If you want to require SAS Proprietary encryption, select Encryption Type check
box and select SAS Proprietary.
-
If you want to store an AES encryption key in the library’s metadata or change the
value of a previously stored key:
-
Select the
Encryption
Type check box and select
AES.
-
Enter an encryption key in the
New Encrypt Key and
Confirm
Encrypt Key fields.
Tip
The value that you enter is
a passphrase of up to 64 characters in length.
Tip
The encryption key is placed
in quotation marks when it is submitted to SAS and is therefore case
sensitive.
Tip
Be sure to keep a record of
the encryption key, even though it is stored in metadata.
If encryption is required, the stored key will be used to encrypt every data set that
is bound in the library.
If encryption is not required, the stored key will be used to re-encrypt every data
set that was encrypted using a previously stored key. It will also be used to encrypt
new tables when AES encryption is specified in SAS code but no key is supplied.
Note: If you choose not to require
encryption, then you can use the TABLES statement with the code method
to specify an encryption key for each table. However, SAS recommends
that you store an encryption key in the library’s metadata
and use it for all of the library’s metadata-bound data sets
that are encrypted with AES.
CAUTION:
For AES-encrypted
data sets that are referentially related to one another, follow these
best practices to ensure that the data does not become inaccessible:
Store the encryption key in the library’s metadata. You can modify the stored key,
but do not remove the
key from metadata and do not unbind the library.
-
-
In the
Modify
Secured Library window, click
Yes to
view the log.
It is strongly recommended that you always check the log for warnings after you perform
an action on a secured library object. If the log indicates that some tables were
not modified (perhaps because a user was
accessing them), repeat the modification when the tables are not being used. When
doing so, specify the new encryption key in the Encrypt Key field.
Note: You can remove encryption
by selecting an encryption type of None.
However, if encryption is currently required, you must use a two-step
process. In the first step, select the Require Encryption check
box, select No, and select the current encryption
type. Click OK to save this change. Then,
modify the library again, and select an encryption type of None.