Skip to end of metadata
Go to start of metadata


The purpose of this guide is to describe what Secure Store in File System is, to provide guidance on how to check for SSFS consistency and to list all related documentation that is currently available to assist with any troubleshooting issues.


Server side Encryption Keys are available within SAP HANA designed to protect your data from unauthorized access.  By default, these are generated during installation, or on delivery of your appliance.  It is recommended that these keys are changed immediately for security reasons.

The following keys can be changed:

  1. Master key of the Instance SSFS
    Instance SSFS protects root encryption keys.  Root keys protect all encryption keys used in the HANA Database from unauthorized access

        2.  Master key of the system public key infrastructure (PKI) SSFS

             PKI SSFS protects the X.509 certificate infrastructure used to secure SSL/TLS communication between hosts or between multi-tenants databases.  

        3.  Root key of the internal data encryption service.

             This key is used to encrypt SAP HANA XS-based application encryption keys. e.g. logon of XS applications to remote connections.  

How to Change the SSFS Master Keys

Please follow the procedure described in SAP HANA Administration Guide chapter Change the SSFS Master Keys.

SSFS and System Replication

In system replication scenarios, the location of the SSFS master key needs only to be configured.  The file will be copied automatically.  See SAP Notes 2193235 , 2202010 and 2194396 regarding troubleshooting SSFS with system replication sites.

SSFS and Multitenant Systems

In a multitenant environment, the system database and all tenant databases have their own encryption keys for both data encryption service and data volume encryption.

SSFS and Homogenous System Copies

For system-based copies, the instance SSFS master key file must be manually saved and restored in order to prevent data loss. See SAP Note 2097613  and 2134846 regarding troubleshooting SSFS with system copies.

Related KBA's / Notes

2097613 - Database is running with inconsistent Secure Storage File System (SSFS)

2134846 - HANA encryption key handling during system cloning

2183624 - Potential information leakage using default SSFS master key in HANA

2193235 - SAP HANA system replication is not working after a change of the master key

2194396 - After upgrade or SSFS key change wrong SSFS key on System Replication secondary site

2202010 - Persistence on System Replication Secondary Site cannot be opened on HANA Revision 85.05

2228171 - How to Change the Data Volume Encryption Root Key

2228829 - How to Change the DPAPI Root Key  

2229831 - HANA Internal Data Encryption Service and DPAPI Root Key

2194396 - After upgrade or SSFS key change wrong SSFS key on System Replication secondary site


Related Documents

SAP HANA Administration Guide

SAP HANA Security Guide



  • No labels