2183624 – Potential information leakage using default SSFS master key in HANA


You are using the initial “Secure Store in the File System” (SSFS) master key to run your HANA database installation.


Other Terms

SAP HANA database, SSFS, encryption, key, master key, security, SSFS_<SID>.DAT


Reason and Prerequisites

In case you are using the database encryption capability “data volume encryption” provided by SAP HANA or use the features to store credentials in the database’s internal data encryption service then HANA stores the respective cryptographic keys in a secure store  on the file system (SSFS) of the HANA server.

This secure store is protected by the so called SSFS master key. In order to support automatic unattended start-up of HANA system, the key store and the SSFS master key is stored on the file system, protected by operating system permissions (operating system access with the <sid>adm operating system user is required).

Prior to revisions 85.05 for SPS08, revision 97.1 for SPS09 and revision 101 for SPS10 this masterkey is by default the same initial key in all HANA installations unless explicitly changed. In the SAP HANA Security guide SAP recommends to change this key after installation.

In case the mentioned encryption features are used and the operating system of a HANA DB is accessible to untrusted users, it could be possible for users having file system level permissions to access the SSFS file and the respective encrypted data to steal information via using the initial key


Information on hdbuserstore

hdbuserstore provides the ability to manage connection information stored in the secure user store of the SAP HANA client. While it relies on SSFS functionality to encrypt the connection information this information is not stored in the SAP HANA database SSFS but a user-specific persistence. Typically, hdbuserstore is used on clients only and not on SAP HANA database servers directly. hdbuserstore is a usability feature and should only be used if no unauthorized users can access the hdbuserstore SSFS files on the client side.

hdbuserstore also uses the initial key to encrypt connection information. For additional security the hdbuserstore SSFS key can be changed. This is documented in the chapter ‘Change the Secure User Store Encryption Key’ in the SAP HANA Administration Guide (http://help.sap.com/hana/SAP_HANA_Administration_Guide_en.pdf).



SAP therefore recommends that you ensure that an individual key gets generated for your system either after installation or after you have received a SAP HANA pre-installed system from a HW vendor. The options on how to change the initial key are described in the security guide (see also SAP HANA Security Guide, http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf) and in this security note

The SAP HANA Security Guide contains a description how to check if the default master key has been changed.


Valid for HANA SPS08, Revision 85.05-SPS10.


  • Changing SSFS master key requires system downtime.
  • In a distributed SAP HANA system, every host must be able to access the key file location.
  • In a multitenant database containers (MDC) configuration, the SSFS master key only has to be changed for whole instance andnot per tenant.

Customers can change the SSFS master key either by

  • upgrading to a respective revisions (this will set an individual key, in case the default key is still in use) this is the recommended solution
  • explicitly changing the key on the affected systems

For special scenarios like snapshot based backup/restore or system replication, please see also note 2194396.


Detailed procedures:

Upgrade to a respective revision

In the revisions listed below, the change of the default key is automatically performed during installation or update to this revision. Therefore no manual changes are needed to set an individual key.

  • Rev. 85.5 for SPS08
  • Rev 97.1 for SPS09
  • Rev 101 for SPS10

In case of HANA system replication scenario please read also note 2194396.

Explicit key change procedure

Change the SSFS Master Key

  1. Log on to the SAP HANA system host as the operating system user <sid>adm.
  2. Shut the system down using the sapcontrol program: /usr/sap/hostctrl/exe/sapcontrol -nr <instance_no> -function Stop
  3. Generate a new master key and re-encrypt the SSFS with on the command line using the rsecssfx program. The rsecssfx program is available at the following location: /usr/sap/<sid>/HDB<instance>/exe

RSEC_SSFS_DATAPATH=/usr/sap/<SID>/SYS/global/hdb/security/ssfs RSEC_SSFS_KEYPATH=<directory of key file> rsecssfx changekey $(rsecssfx generatekey -getPlainValueToConsole)

  1. Configure the specified key file location in the global.ini configuration file at /usr/sap/<sid>/SYS/global/hdb/custom/config/global.ini. If the file does not exist, create it. Add the following lines:
    ssfs_key_file_path = <directory of key file>
  2. Restart SAP HANA.

In a system-replication setup, configure the key file location on the secondary system(s). The file itself will be automatically copied. (exceptions see note 2194396).For file system based copy of SAP HANA database installations, e.g. in snapshot based backup/restore scenarios, the SSFS master key file must be manually saved/restored. Otherwise data loss can occur.

The location of the secure store itself (RSEC_SSFS_DATAPATH) is fixed and should not be changed in a HANA installation. You can choose a different path for the key file (RSEC_SSFS_KEYPATH) by changing the ssfs_key_file_path parameter. It must be ensured that the <sid>adm user of the installation has access to the key file (file permissions). The path must already exist when rsecssfx is executed.


Leave a Reply