BookmarkSubscribeRSS Feed

Encrypting SASHDAT Files at Rest

Started ‎08-29-2018 by
Modified ‎08-29-2018 by
Views 1,919

Customers are more concerned than ever about security. You have surely seen Stuart Rogers' numerous posts about important security topics including authentication, certificate management, and encryption in motion. SAS administrators should be very familiar with security best practices and as stewards of the SAS deployment, do all we can to enforce those good practices in the areas we oversee. Typically, SAS administrators are responsible for assigning global CAS libraries and assigning appropriate permissions to protect access to the data. Coupled with appropriate operating system permissions, this is usually sufficient protection. However, for more sensitive data the administrator may wish to encrypt the data at rest in the library for extra protection. In this post, I would like to show how administrators can create CAS libraries so that SASHDAT files at rest in the library are encrypted.


Before we go over any further, there are a few things you should know about using encrypted CAS libraries.

  • Only CAS libraries that connect to PATH, HDFS, or DNFS file systems can be encrypted.
  • Only SASHDAT files in the CAS library path will be encrypted. If the path contains other types of files (.CSV, .SAS7BDAT, etc.), those files will not be encrypted at rest.
  • When an encrypted SASHDAT file is loaded into memory, the in-memory table is not be encrypted. The decryption process will marginally affect the load time but it is a one time cost. If extremely large SASHDAT files are to be encrypted administrators may want to consider pre-loading them as part of the CAS Server startup.
  • SAS Viya 3.4 uses Advanced Encryption Standard (AES) with 256-bit keys to encrypt the data at rest.

So let's see how this is done.


The process to create an encrypted CAS library is pretty straightforward. The administrator simply needs to

  1. Create an Encryption Domain for specific identities to use.
  2. Create a CAS library and associate it with the Encryption Domain.

For now, only members of the SAS Administrators group can create Encryption domains so an administrator will need to open Environment Manager to the Domains page and from the Domains view, click the New icon. In this example, we're going to create an encryption domain to protect Human Resource (HR) data. So we give the new domain a meaningful name, description, and place the HR group in the identities list. Only the specified identities will have permission to use the encryption domain so choose carefully. The last thing to add is the encryption key.




Now, before you hit Save, make note of your key because once the domain is saved, the passphrase cannot be changed. Additionally, Encryption domains cannot currently be deleted and once saved, the only part of the domain that can be modified later is to add or remove identities to the Encryption domain by way of the Credentials view. If you need details, Gerry Nelson covered more information on Domains in an earlier post.


So now we have the HRProtected encryption domain available for use.




The next step is to create a new CAS library and associate it with the encryption domain. So still using Environment Manager, we switch to the Data page and define a new Data Source (aka CAS library).




In this case, we now have a path-based CAS library to /gelcontent/gelcorp/hr/hrOnly called "HR Protected" and on the Advanced tab, we have associated it with the HRProtected encryption domain. And no, the names do not have to be as similar as in this example.


From this point forward and regardless of how they are created, any SASHDAT files in /gelcontent/gelcorp/hr/hrOnly will be encrypted. As an example let's say one of our HR group members imports the hr_summary.csv file into the "HR Protected" CAS library.




After the data are imported, a SASHDAT file is created in the HR Protected library.


[sasadm@intcas01 hrOnly]$ pwd
[sasadm@intcas01 hrOnly]$ ll
-rwxr-xr-x. 1 cas HR 84144 Aug 16 15:10 HR_SUMMARY.sashdat


And if we try to peek inside the HR_SUMMARY.sashdat file, we would only see gibberish.


[sas@intcas01 hrOnly]$ more HR_SUMMARY.sashdat
▒▒▒▒պ▒▒▒▒▒W▒▒▒+▒▒/▒▒▒o▒nwOm▒▒!/b▒f▒N▒:lMA▒▒u▒"lHz▒[<▒o▒6▒!db▒Xk▒陾?▒▒zE▒▒Wz ▒L▒▒▒▒▒


That's it. HR users now have a CAS library that will encrypt any SASHDAT files at rest.


One last word of is not possible to change the encryption domain assigned to a CAS library. If you want to change the Encryption domain for a CAS library you would have to delete the existing CAS library and recreate it using a different Encryption domain. And yes, if you create encrypted SASHDAT files using one Encryption domain, you will lose access to those files if you delete the CAS library and recreate it using a different Encryption domain.

Version history
Last update:
‎08-29-2018 01:53 PM
Updated by:



Registration is open! SAS is returning to Vegas for an AI and analytics experience like no other! Whether you're an executive, manager, end user or SAS partner, SAS Innovate is designed for everyone on your team. Register for just $495 by 12/31/2023.

If you are interested in speaking, there is still time to submit a session idea. More details are posted on the website. 

Register now!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Tags