Potential information leakage using default SSFS master key in SAP HANA


You are using the default SSFS master key to run your SAP HANA database installation.

Other Terms

SAP HANA database, SSFS, encryption, key, master key, security, SSFS_<SID>.DAT

Reason and Prerequisites

The SSFS master key is used to encrypt the root encryption keys of your SAP HANA database. It is a default key that is the same for all installations unless explicitly changed. SAP therefore highly recommends that you change this key immediately after installation or after you have received SAP HANA pre-installed from a database vendor (see also SAP HANA Security Guide, http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf). If the key was not changed after installation, we recommend that you perform the key change in the next available maintenance window.

In case the operating system of a HANA DB is accessible it could be possible to steal information via using the initial key for user having file system level permissions to access the SSFS file.


Valid for HANA SPS06-SPS09.


  • Changing SSFS master key requires system downtime.
  • In a distributed SAP HANA system, every host must be able to access the key file location.
  • In an MDC configuration, the SSFS master key only has to be changed for whole instance and not per tenant.

Change the SSFS Master Key

  1. Log on to the SAP HANA system host as the operating system user <sid>adm.
  2. Shut the system down using the sapcontrol program: /usr/sap/hostctrl/exe/sapcontrol -nr <instance_no> -function Stop.
  3. Generate a new master key from the command line using the rsecssfx program. The rsecssfx program is available at the following location: /usr/sap/<sid>/HDB<instance>/exe.
    1. Use the command ‘rsecssfx generatekey’ to create a new master key. The new key will be displayed on screen.
    2. Copy the new key to the clipboard.
    3. Re-encrypt the SSFS with the new key and save the key file to a secure location with the following command: RSEC_SSFS_DATAPATH=/usr/sap/<SID>/SYS/global/hdb/security/ssfs RSEC_SSFS_KEYPATH=<path to key file> rsecssfx changekey <paste the new key from step 2 here>
  4. Configure the specified key file location in the global.ini configuration file at /usr/sap/<sid>/SYS/global/hdb/custom/config/global.ini. If the file does not exist, create it. Add the following lines:
    ssfs_key_file_path = <path to key file>
  5. Restart SAP HANA.

In a system-replication setup, configure the key file location on the secondary system(s). The file itself will be automatically copied. For file system based copy of SAP HANA database installations, e.g. in snapshot based backup/restore scenarios, the SSFS master key file must be manually saved/restored. Otherwise data loss can occur.

For special scenarios like snapshot based backup/restore or system replication, please open a message on component HAN-DB-SEC in case of any questions.


hdbuserstore provides the ability to manage connection information stored in the secure user store of the SAP HANA client. While it relies on SSFS functionality to encrypt the connection information this information is not stored in the SAP HANA database SSFS but a user-specific persistence. Typically, hdbuserstore is used on clients only and not on SAP HANA database servers directly. hdbuserstore is a usability feature and should only be used if no unauthorized users can access the hdbuserstore SSFS files on the client side.

hdbuserstore also uses the default key to encrypt connection information. For additional security the hdbuserstore SSFS key can be changed. This is documented in the chapter ‘Change the Secure User Store Encryption Key’ in the SAP HANA Administration Guide (http://help.sap.com/hana/SAP_HANA_Administration_Guide_en.pdf).



Leave a Reply