2054883 – Enabling Data Volume Encryption in a Running System

Symptom

When Data Volume Encryption shall be enabled in a running system, SAP recommends to generate a new root encryption key before (cf. SAP HANA Administration Guide ch. 3.3.1.2 “Enabling Data Volume Encryption in a Running System”). The root encryption key is generated from the command line using the hdbnsutil program with option -generateRootKeys.

This procedure can corrupt your persistency and so render the system unusable if the root key change is done when the SAP HANA Database is online.
Note: This scenario is no longer possible with Revision 90 and above, since the consistency of SSFS and database is checked by the HANA database.

Nameserver will crash with the following callstack:

[CRASH_STACK]  stacktrace of crash: (2014-08-08 18:33:48 756 Local)
—-> Pending exceptions (possible root cause) <—-
exception  1: no.3000284  (DataAccess/impl/SavepointImpl.cpp:3546)
Could not read AnchorPage, none of 2 found copies contains valid data
exception throw location:

Potential data loss may occur as you only can solve the issue by recover from backup.

 

Other Terms

HANA, Data Volume Encryption, Security, hdbnsutil, encryption, administration

 

Reason and Prerequisites

The root encryption key is cached in the running system and the cache only gets invalidated on restart.

 

Solution

IMPORTANT UPDATE:

When changing the root encryption key you should adhere to the following procedure:

  1. Shut down the SAP HANA Database
  2. Change the root encryption key with command “hdbnsutil -generateRootKeys –type=PERSISTENCE”
  3. Restart the SAP HANA Database
  4. Enable Data Volume Encryption if desired

Reason: The root encryption key is cached in the running system and the cache only gets invalidated on restart.

WORKAROUND:

If you changed the encryption root key during your SAP HANA Database was online and you suffer from the described symptons, you can repair your system by recovering the old encryption root key. The change of the encryption root key with the hdbnsutil command line tool will backup the original encryption key. The encryption root key file (SSFS) and its backup files are located within the directory /usr/sap/<SID>/SYS/global/hdb/security/ssfs (where <SID> has to be replaced by the sid of your SAP HANA Database). All backups contain a timestamp and the ending .sav in the filename.

  1. Shut down the SAP HANA Database
  2. Make a backup of the current SSFS file (/usr/sap/<SID>/SYS/global/hdb/security/ssfs/SSFS_<SID>.DAT)
  3. Restore the backup of the SSFS by replacing the current SSFS file
  4. Restart the SAP HANA Database

Please note that the following hint from the SAP HANA Administration Guide remains valid:

CAUTION:

Do not generate a new root encryption key after you have enabled persistence encryption, since this would render the SAP HANA database unusable.
This also applies when you had enabled encryption in the past and disabled it meanwhile.

 

 

Leave a Reply