Encryption

Introduction
On-Disk Encryption of Reload-on-Start Files
Overview
Key Points
Encrypt a Backing Store Library
Additional Information
On-Disk Encryption of SASHDAT Files
Overview
Key Points
Protect Encryption Settings
Encrypt a SASHDAT Library
Additional Information

Introduction

SAS Visual Analytics uses platform-level functionality to encrypt sensitive data in transit and on disk. See Encryption Model in the SAS Intelligence Platform: Security Administration Guide.
This topic helps you get started with AES encryption of data that SAS Visual Analytics writes to disk.

On-Disk Encryption of Reload-on-Start Files

Overview

To increase protection of data in a reload-on-start backing store, bind the backing store to metadata and enable encryption on the corresponding secured library.
CAUTION:
Binding physical data to metadata is an advanced technique.
Before you configure encryption, see Overview of Metadata-Bound Libraries in SAS Guide to Metadata-Bound Libraries and review the following key points.

Key Points

  • Access to in-memory data is unaffected by encryption of corresponding backing store files. Encrypted backing store files are not read or written as quickly as unencrypted backing store files.
  • Each metadata-bound backing store is represented twice in metadata:
    • One representation is a traditional library that is assigned as the backing store for a particular LASR library.
    • The other representation is a secured library to which the physical backing store is bound.
    To read from or write to an encrypted backing store, you must have sufficient metadata-layer permissions on both the traditional library and the secured library.
  • Passphrases (Encrypt Key values) and passwords are not promoted. After the initial import of a secured library, you must re-apply the passphrase and password (or passwords) in the target environment. See Promoting Secured Data Folders, Secured Library Objects, and Secured Table Objects in the SAS Intelligence Platform: System Administration Guide.
  • To use AES, SAS/SECURE must be installed and available. See SAS/SECURE in Encryption in SAS.

Encrypt a Backing Store Library

  1. Identify or create a backing store for a LASR library that supports reload-on-start and will contain sensitive data. See How to Enable Reload-on-Start.
    Note: A backing store is a host directory that is registered in metadata and assigned to a LASR library as its data provider library.
  2. Log on to SAS Management Console as someone who has the following privileges:
    • Host-layer control of the target directory:
      • On Windows, you must have full control of the directory.
      • On UNIX, you must be an owner of the directory.
    • Metadata-layer access to the Secured Libraries folder. The SAS Administrators group usually has the necessary access.
  3. On the Folders tab, navigate to Systemthen selectSecured Libraries, right-click, and select Newthen selectSecured Library.
    Note: As an alternative, you can first create a secured library folder, and then create the new secured library within that folder. If you are creating multiple secured libraries, it is usually more efficient to create one or more folders, so that each secured library inherits effective permissions from a parent folder. Each secured table inherits effective permissions from its parent secured library. See Object Creation, Location, and Inheritance.
  4. On the General page, enter a name and description. Click Next.
  5. On the Connection Data page, provide information as follows:
    1. Select a SAS Application Server. For Library Path, click Browse, and select your target directory.
    2. Enter and confirm a library password.
      CAUTION:
      If you lose a library password, you cannot unbind or modify the library.
      Keep track of the password (or passwords) that you enter.
      Note: The password must be a valid SAS name. (It must begin with a letter or an underscore. It can include letters, underscores, and numeric digits. It is not case sensitive. It cannot be longer than 8 characters.) If you need to create a longer, compound password, select the Specify multiple passwords check box and specify multiple passwords.
    3. Select the Require Encryption check box and its Yes radio button. With this setting, the following files are encrypted:
      • Any unencrypted tables that already exist in the directory.
      • Tables that are later added to the directory during imports that participate in reload-on-start.
      • Tables that are later added to the directory directly through SAS code. (Do not use a host copy utility to add tables to the directory.)
    4. Select the Encryption Type check box and its AES radio button.
    5. Leave the first Encrypt Key field blank. That field is not applicable when you create a secured library for a directory that is empty or contains only unencrypted files.
      Enter a value in the New Encrypt Key and Confirm Encrypt Key fields. Here are some details:
      • Keep track of the value that you enter.
      • The value that you enter functions as a passphrase that is used to create the actual key with which AES encrypts the target tables.
      • The value that you enter is automatically enclosed in quotation marks when it is saved, so the value is case sensitive. (Do not include quotation marks when you enter a value.) For more information, see ENCRYPTKEY= in the SAS Data Set Options: Reference.
    6. Click Finish. When prompted, click Yes to review the log.
  6. Review and adjust metadata-layer access to the new secured library.
    1. Right-click on the new secured library, and select Properties.
      Note: If you are managing permissions at the folder level, right-click on the appropriate secured library folder.
    2. On the Authorization tab, use one of the following techniques:
      • Grant all permissions to a broad group, such as PUBLIC, SASUSERS, or Visual Analytics Users. This simple approach uses the secured library only to provide on-disk encryption.
      • Grant permissions in a more selective, limited manner. This advanced approach uses the secured library to provide enhanced enforcement of authorization constraints, as well as on-disk encryption. See Permissions for Metadata-Bound Data. Here are some examples:
        • To import a table that participates in reload-on-start, a user must have the Create Table permission on the corresponding secured library object.
          Note: If a same-named table already exists in the metadata-bound backing store, the user must also have the Alter Table permission on the corresponding secured table object.
        • To reload a table (using reload-on-start), the user who triggers the SAS LASR Analytic Server to start must have the ReadMetadata and Select permissions on the corresponding secured table object.
  7. To verify the results:
    • In the data builder, explorer, or designer, import a participating table. For example, import a local file to a LASR library that supports reload-on-start from an AES-encrypted backing store.
    • In the administrator, stop and then start a SAS LASR Analytic Server that is associated with a LASR library that supports reload-on-start from an AES-encrypted backing store.
    • In SAS code, run the CONTENTS procedure against the backing store library. The procedure output indicates whether tables are encrypted.
    • For further verification, see Validating a Metadata-Bound Library.

Additional Information

This topic is intended to help you get started. For alternate methods and related tasks, see the chapter Implementation of Metadata-Bound Libraries in the SAS Guide to Metadata-Bound Libraries.
For example:

On-Disk Encryption of SASHDAT Files

Overview

To increase protection of SASHDAT files, enable on-disk AES encryption for a library that uses the SASHDAT engine.
CAUTION:
Encrypting SASHDAT files can significantly impact data availability and memory consumption.
Before you configure encryption, review the following sections.

Key Points

  • Access to in-memory data is unaffected by encryption of corresponding SASHDAT files. Encrypted SASHDAT files are not read or written as quickly as unencrypted SASHDAT files.
  • Encrypted SASHDAT files are available to only requests that are authorized by the SAS LASR Authorization Service (which is also referred to as the signer). For authorized requests, the authorization service retrieves the encryption passphrase from metadata and provides it to the SASHDAT engine. This enables the SASHDAT engine to encrypt and unencrypt data as needed. Here are the related requirements:
    • The connection object for the associated data server must enable the authorization service. For SAS Visual Analytics, encryption of SASHDAT files is always signer-managed.
    • In an encrypted SASHDAT library, users who add, delete, or load associated data must have the Read permission.
    • Within an environment, each Hadoop server must have a unique host name. Within a Hadoop server, each SASHDAT library must have a unique host path.
  • Encrypted SASHDAT files always consume unmapped memory when they are loaded. Memory mapping is not available for LASR tables that are loaded from encrypted SASHDAT files.
  • Encrypted SASHDAT files are always uncompressed when they are loaded.
    Note: You can use compression to conserve disk space for an encrypted SASHDAT file. However, compressing an encrypted SASHDAT file does not conserve memory. Before an encrypted file is loaded, it must be decrypted—decryption requires that the data be uncompressed.
  • Changes that you make to SASHDAT encryption settings do not affect existing SASHDAT files.
  • If you want to centralize SASHDAT encryption configuration, specify encryption settings at the server level, and configure each associated library to inherit its settings.
  • Passphrases (Encrypt Key values) are not promoted. After the initial import of an encrypted SASHDAT library or server, you must use SAS Management Console to re-apply the passphrase in the target environment.
    Note: If both the source and the target environment reference the same physical data instance, then you do not have to copy and replace that data (because that data remains encrypted).
  • To encrypt SASHDAT files, the following requirements must be met:
    • The SAS TKGrid Encryption Extension must be installed and available. See the SAS High-Performance Analytics Infrastructure: Installation and Configuration Guide.
    • To use AES, SAS/SECURE must be installed and available. See SAS/SECURE in Encryption in SAS.

Protect Encryption Settings

To protect SASHDAT encryption settings, limit WriteMetadata access to the SASHDAT library.
Limiting WriteMetadata access is necessary because anyone who has WriteMetadata access to an encrypted SASHDAT library can modify its VA.Encryption.Enabled extended attribute. That attribute is intended for exclusively internal purposes. Nobody should directly set, modify, or delete the VA.Encryption.Enabled attribute. Instead, unrestricted users can manage settings from the library’s Options tab, as instructed below.
Note: Limiting WriteMetadata access has side effects. Users who lack WriteMetadata access to a library cannot register tables in or delete tables from that library.
For example, for maximum protection, you might give the PUBLIC group an explicit denial of WriteMetadata on the Authorization tab of an encrypted SASHDAT library. With that setting, only an unrestricted user has WriteMetadata access to the library. Actions that add or remove SASHDAT table metadata for that library must be performed by an unrestricted user.

Encrypt a SASHDAT Library

  1. Identify a SASHDAT library that references an empty target directory.
    Note: These instructions are for an existing SASHDAT library. To create a new library that uses the SASHDAT engine, see the SAS Intelligence Platform: Data Administration Guide.
  2. Log on to SAS Management Console as an unrestricted user (for example, sasadm@saspw).
  3. On the library, set encryption options and adjust metadata-layer permissions.
    1. On the Plug-ins tab, expand the Data Library Manager node and then the Libraries node. Right-click the target library, and select Properties.
    2. On the Options tab, make the following changes:
      1. In the Enable Encryption field, select the Yes radio button.
        Tip
        To instead make the library inherit encryption settings from its associated data server, select the Inherit from server radio button. Then, verify that encryption is enabled on the data server’s Options tab. Inherited settings are dynamic. Server-level changes affect all associated libraries that are configured to inherit server-level settings.
      2. Enter a value in the New Encrypt Key and Confirm Encrypt Key fields.
        CAUTION:
        If the passphrase is lost, all access to the encrypted data is irretrievably lost.
        Keep track of the passphrase that you enter.
        Here are some details:
        • The value that you enter functions as a passphrase that is used to create the actual key with which AES encrypts the target tables.
        • The value that you enter is automatically enclosed in quotation marks when it is saved, so the value is case sensitive. (Do not include quotation marks when you enter a value.) For more information, see ENCRYPTKEY= in the SAS Data Set Options: Reference.
    3. On the Authorization tab, grant the Read permission to users who add data to the encrypted library, load data from the encrypted library, or delete data from the encrypted library. In most cases, it is sufficient to grant the Read permission to the following groups:
      • Visual Analytics Data Administrators
      • Visual Data Builder Administrators
      Note: For an unencrypted SASHDAT library, the Read permission is not required or enforced.
      Note: You can grant the Read permission on a parent folder, rather than directly on the library.
    4. On the Authorization tab, make sure that WriteMetadata access is limited. See Protect Encryption Settings.
    5. Click OK.
  4. On the associated server’s connection object, enable the LASR authorization service.
    CAUTION:
    If the LASR authorization service is not enabled, added tables are not encrypted and encrypted tables are not available.
    1. On the Plug-ins tab, expand Server Manager, and select the target data server.
    2. In the right pane, right-click the server’s connection object, and select Properties.
    3. On the Options tab, make sure the Use LASR authorization service check box is selected.
  5. To verify the results:
    • Add tables to the SASHDAT library.
    • Load tables from the SASHDAT library to a SAS LASR Analytic Server.
    • For SASHDAT files in co-located HDFS, examine each table’s Encryption property on the administrator’s HDFS tab. See About the HDFS Tab.
    • In SAS code, run the CONTENTS procedure against the SASHDAT library. The procedure output indicates whether tables are encrypted.

Additional Information

To update a passphrase:
  1. If the target directory currently contains tables, move those tables to an alternate location.
    Tip
    One approach is to load the existing tables to memory and then delete both the physical tables and the corresponding metadata definitions.
    CAUTION:
    If you delete table metadata, you must manually repair or re-create any affected objects (for example, explicit and row-level permissions).
  2. Log on to SAS Management Console as an unrestricted user (for example, sasadm@saspw). On the appropriate server or library, enter a new value in the New Encrypt Key and Confirm Encrypt Key fields.
  3. If you moved tables in step 1, move them back to the target directory. As the tables are written back to the target directory, they are encrypted using the new encryption key (which is generated from the updated passphrase).
    Tip
    If you loaded tables from co-located HDFS or NFS-mounted MapR in step 1, you can use the data builder to save the tables back to the target directory.
For more information, see Data Encryption in the SAS LASR Analytic Server: Reference Guide.
Copyright © SAS Institute Inc. All Rights Reserved.
Last updated: December 18, 2018