Encryption for data at rest in the SAS Viya platform
- Article History
- RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Encryption is a process that transforms the data into an unreadable format using a secret key and is readable only to those who have the key to decrypt it. Encryption provides security to datasets written on disk. The SAS Viya platform supports encryption for data at rest on disk storage. The SAS Viya platform mainly uses two methods to encrypt data at rest. One, programmatically using the CASLIB and SAS data steps. Second, an encrypted disk storage class provided by the cloud vendors is used to define the Persistence Volume and data storage. The CAS server supports encryption for .sashdata data files in a PATH and DNFS CASLIB. The SAS Compute Server supports encryption for .sas7bdat datafiles in a PATH LIBNAME.
This post is about programmatically encrypting data at rest using CASLIB and SAS data steps.
The SAS Viya platform uses an Advanced Encryption Standard (AES/AES2) algorithm with 256-bit key to encrypt data at rest. Encryption requires approximately the same amount of CPU resources as compression. The SAS system decrypts the data as it reads from the disk, but is not decrypted when read at the operating system level or by an external program.
Encryption under CAS Server
The CAS server supports encryption for .sashdata datafile at rest in a PATH/DNFS CASLIB. When creating a PATH/DNFS CASLIB, the SAS Viya administrator can enable it to encrypt the data while writing to disk. The encryption is applied to source data files in the PATH/DNFS CASLIB. The PATH/DNFS CASLIB can use an encryption domain or encryption password to encrypt the data files.
The encryption domain is configured with an encryption key and a list of SAS Viya identity users. When the SAS Administrator creates a CASLIB with the Encryption domain and grants read/write permission to a SAS identity user, this does not enable the user to access the encrypted data. The identity user must be part of the encryption domain with the same encryption key, along with read/write permission on CASLIB to read and write encrypted data files.
When a SAS Viya user imports a data file (SAS tables, .csv, .txt) into a PATH/DNFS CASLIB, a .sashdat file is created in the CASLIB path location. If the CASLIB is configured with an encryption domain or password, the .sashdat files at rest will be encrypted.
The following screenshot describes the creation of an Encryption domain with an encryption key and a set of SAS Viya Identity users at the SAS Environment Manager Application. The SAS Viya CLI can also be used to create and configure the encryption domain. When the SAS Viya administrator creates the encryption domain, they can assign a list of identity users and an encryption key. In this case same encryption key becomes the encryption key for each user. It’s a useful way to configure a group of SAS Viya users with same encryption key to share the encrypted data files.
Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.
The SAS Viya administrator can also set up a separate encryption key for a user by updating the credentials. In that case, the encrypted data file created by the user (user1) using the encryption domain can only be read by same user (user1). Other users in the same encryption domain cannot read the data files created by user1 since they have a different encryption key.
The SAS Viya administrator can also add a new user to the encryption domain with same encryption key or a different key. In case a user has a different encryption key, the encrypted data file created by the user (user2) using the encryption domain can only be read by the same user (user2). It‘s a good practice to create an encryption domain with the same encryption key for each identity user in it. As per requirement SAS Viya administrator can create multiple encryption domains with set of identity users. Having same encryption key in a domain helps to share the data file within a set of identity users.
The following code describes the usage of the encryption domain in a PATH CASLIB to create encrypted data files. For example, the code can be executed by SAS Viya identity users “Viya Administrator” and “Test user1”. These users are part of the encryption domain "SalesEncryption" and can only use it in a CASLIB to read and write the encrypted data files. If a user is not part of the encryption domain, he/she cannot use it to read the data files even though they have read and write permission on CASLIB.
Code:
CAS mySession SESSOPTS=(CASLIB=casuser TIMEOUT=99 LOCALE="en_US" metrics=true);
CASLIB enclib DATASOURCE=(SRCTYPE="PATH" ENCRYPTIONDOMAIN="SalesEncryption" ) path="/mnt/viya-share/data/" ;
/* Save a CAS table into an encrypted .sashdat file. */
proc casutil incaslib="enclib" outcaslib="enclib";
load data=sashelp.cars casout="cars" replace;
save casdata="cars" casout="cars_encrpt" replace;
list files;
quit;
/* Load CAS from an encrypted data file saved by CAS */
proc casutil incaslib="enclib" outcaslib="enclib";
load casdata="cars_encrpt.sashdat" casout="cars_hdat" ;
list tables;
quit;
CAS mySession TERMINATE;
Log extract:
…………
……..
NOTE: SASHELP.CARS was successfully added to the "ENCLIB" caslib as "CARS".
88 save casdata="cars" casout="cars_encrpt" replace;
NOTE: Executing action 'table.save'.
NOTE: Cloud Analytic Services saved the file cars_encrpt.sashdat in caslib ENCLIB.
NOTE: Caslib options provided a password to encrypt the stored data. Subsequent loading of this table will require the same password.
NOTE: Action 'table.save' used (Total process time):
92 /* Load CAS from an encrypted data file saved by CAS */
93 proc casutil incaslib="enclib" outcaslib="enclib";
NOTE: The UUID '672ed24f-e92d-8341-802e-8116b5f5c7f9' is connected using session MYSESSION.
94 load casdata="cars_encrpt.sashdat" casout="cars_hdat" ;
NOTE: Executing action 'table.loadTable'.
NOTE: Cloud Analytic Services made the file cars_encrpt.sashdat available as table CARS_HDAT in caslib enclib.
NOTE: Action 'table.loadTable' used (Total process time):
……….
……………
If a SAS Viya user executes the above code without the ENCRYPTIONDOMAIN= parameter and value in the CASLIB statement, it will generate the error message “A password is required”. When a data file is encrypted with an encrypted password, it will not open until a valid password is provided.
Code:
CASLIB enclib1 DATASOURCE=(SRCTYPE="PATH" ) path="/mnt/viya-share/data/" ;
Log extract:
…………
……..
85 /* Load CAS from an encrypted data file saved by CAS */
86 proc casutil incaslib="enclib1" outcaslib="enclib1" ;
NOTE: The UUID 'b40d2d7e-6880-e54d-8406-770792cae6bc' is connected using session MYSESSION.
87 load casdata="cars_encrpt.sashdat" casout="cars_hdat" ;
NOTE: Executing action 'table.loadTable'.
ERROR: A password is required to access this encrypted file.
ERROR: The action stopped due to errors.
NOTE: Action 'table.loadTable' used (Total process time):
……….
……………
When a non-member user of the encryption domain “SalesEncryption”, executes the above code with the ENCRYPTIONDOMAIN= parameter and value in the CASLIB statement, it generates the error message “No Credentials found”. When a user is accessing an encrypted data file using the encryption domain, they must be part of the domain with a valid encryption key.
Code:
CASLIB enclib DATASOURCE=(SRCTYPE="PATH" ENCRYPTIONDOMAIN="SalesEncryption" ) path="/mnt/viya-share/data/" ;
Log extract:
…………
……..
86 proc casutil incaslib="enclib" outcaslib="enclib";
NOTE: The UUID '33c5f2ad-2e5a-594d-95d9-c763af93f08d' is connected using session MYSESSION.
87 load casdata="cars_encrpt.sashdat" casout="cars_hdat" ;
NOTE: Executing action 'table.loadTable'.
ERROR: No credentials found for domain SalesEncryption.
ERROR: You do not have stored credentials for the requested security domain.
ERROR: The action stopped due to errors.
NOTE: Action 'table.loadTable' used (Total process time):
……….
……………
Considerations when using encryption under the CAS server:
- Once an encryption domain is created, it cannot be deleted from the SAS Environment Manager Interface. If required, the SAS Viya administrator can delete it using the sas-viya CLI statement.
- The encryption key cannot be changed in the encrypted data files.
- If a data file is encrypted using an encryption domain key, it can only be read using the same key.
- If you plan to change the encryption key for data files, you need to read them using the old encryption key and write them using the new encryption key.
- If an encrypted caslib is deleted, the data files in the associated path remain encrypted. To access the same data files, you must create a new caslib with the same encryption domain and key value.
- Keep the encryption key in a safe and secure place; there is no way to retrieve it from the encryption domain. You can share the key with the required admin users only.
Encryption under SAS Compute Server
The SAS Compute Server supports encryption for SAS data sets at rest. The SAS datasets can be encrypted while writing to disk. The SAS Compute Server provides two types of algorithms to encrypt the SAS datasets. One, SAS proprietary encryption is implemented with the ENCRYPT=YES option in the data set option. Second, AES (Advanced Encryption Standard) encryption is implemented with ENCRYPT=AES or AES2 in the data set option. There is no additional installation required to use the SAS proprietary or AES encryption.
When the encryption key is changed, the encrypted datasets must be rewritten with the new key. You must use the old key to open the existing encrypted data files and rewrite them with the new key. Keep the encrypted key in a safe and secure place and share it only with the required users.
SAS proprietary encryption
The SAS proprietary encryption is implemented by specifying ENCRYPT=YES in the SAS data set option. While encrypting a data set, you must provide a password/key value for READ=, PW=, WRITE=, and ALTER= options for various usage. With ENCRYPT= YES, an ALTER= password option can be used to prevent users from replacing or deleting the file and enables access to read and write to protected files. The PW= option assigns the read, write, and alter password to a SAS file and enables access to password-protected SAS data files.
The following code describes the usage of the SAS proprietary encryption to encrypt a sas7bdat data file while writing to disk.
Code:
%let secret=green;
%let readpass=yellow;
libname mylib "/mnt/viya-share/data/" ;
/* data sets created with ENCRYPT=yes with READ= and ALTER= option */
data mylib.salary(encrypt=yes read=&readpass alter=&secret) ;
input name $ yrsal bonuspct;
datalines;
Muriel 34567 3.2
Bjorn 74644 2.5
Agnetha 70998 4.1
;
/* While reading datasets READ= option required since it’s encrypted */
proc print data=mylib.salary(read=&readpass);
run;
quit;
Log extract:
…………
……..
88 data mylib.salary(encrypt=yes read=&readpass alter=&secret) ;
89 input name $ yrsal bonuspct;
90 datalines;
NOTE: The data set MYLIB.SALARY has 3 observations and 3 variables.
97 proc print data=mylib.salary(read=&readpass);
98 run;
NOTE: There were 3 observations read from the data set MYLIB.SALARY.
……….
……………
If a SAS Viya user tries to access the encrypted data files without the encryption key, it will generate the error message “Invalid or missing READ password”. When a data file is encrypted with an encrypted password, it will not open until a valid password is provided.
Log extract:
…………
……..
101 proc print data=mylib.salary;
ERROR: Invalid or missing READ password on member MYLIB.SALARY.DATA.
102 run;
NOTE: The SAS System stopped processing this step because of errors.
……….
……………
AES encryption
The AES Encryption is implemented by specifying ENCRYPT=AES/AES2 in the SAS data set option. While encrypting a data set, you must provide a value for the ENCRYPTKEY= option. With ENCRYPT=AES and ENCRYPTKEY=, an ALTER= or PW= password option can be used to prevent users from replacing or deleting the file, and enables access to read and write protected files. The PW= option assigns the read, write, and alter password to a SAS file.
The following code describes the usage of the AES encryption to encrypt a sas7bdat data file while writing to disk.
Code:
%let mykey=green;
%let alterkey=yellow;
libname mylib "/mnt/viya-share/data/" ;
/* data sets created with ENCRYPT=AES with ENCRYPTKEY= and ALTER= option */
data mylib.salary_aes(encrypt=aes encryptkey=&mykey alter=&alterkey);
input name $ yrsal bonuspct;
datalines;
Muriel 34567 3.2
Bjorn 74644 2.5
Agnetha 70998 4.1 ;
/* While reading datasets encryptkey= option required since it’s encrypted */
proc print data=mylib.salary_aes(encryptkey=&mykey);
run;
quit;
Log extract:
…………
……..
87 data mylib.salary_aes(encrypt=aes encryptkey=&mykey alter=&alterkey);
88 input name $ yrsal bonuspct;
89 datalines;
NOTE: If you lose or forget the ENCRYPTKEY, there will be no way to open the file and recover the data.
96 proc print data=mylib.salary_aes(encryptkey=&mykey);
97 run;
NOTE: There were 3 observations read from the data set MYLIB.SALARY_AES.
……….
……………
If a SAS Viya user tries to access the encrypted data files without the encryption key, it will generate the error message “Invalid ENCRYPTKEY value”.
Log extract:
…………
……..
100
101 proc print data=mylib.salary_aes;
ERROR: Invalid ENCRYPTKEY value for MYLIB.SALARY_AES.DATA.
102 run;
NOTE: The SAS System stopped processing this step because of errors.
……….
……………
Important Link: SAS® Viya® Platform Encryption: Data at Rest
Find more articles from SAS Global Enablement and Learning here.