If you’re not an expert on encryption, have no fear! SAS 9.4 has introduced ways to bring stronger encryption to your SAS deployment. The good news is that SAS/SECURE is now a part of Base SAS when you upgrade to SAS 9.4 and is not a separately licensed product anymore.
This is great news for our SAS administrators! But, what if you’re not an expert on encryption? Let’s take a look really quickly at the basics of encryption:
What is encryption?
Encryption refers to the process of protecting data. Encryption is the transformation of intelligible data (plaintext) into an unintelligible form (ciphertext) by means of a mathematical process. The ciphertext is translated back to plaintext when the appropriate key that is necessary for decrypting (unlocking) the ciphertext is applied. There are two primary forms of encryption:
- Over-the-wire encryption protects data while it is in transit. Passwords in transit to and from SAS servers are encrypted or encoded.
- On-disk encryption protects data at rest. Passwords in configuration files, metadata login passwords, and metadata internal account passwords are encrypted or encoded.
Cryptography refers to the science of encoding and decoding information to protect its confidentiality. Encryption is a type of cryptography.
Algorithm in encryption refers to the mathematical process that is applied to transform the plaintext into ciphertext. Examples of algorithms supported by SAS/SECURE include:
- AES (Advanced Encryption Standard)
- DES (Data Encryption Standard)
- RC4 (a type of stream cipher, proprietary algorithm developed by RSA Data Security, Inc.).
AES is one of the most popular algorithms used in symmetric key cryptography and is newly available in SAS/SECURE over SAS 9.4. It is also the algorithm I will use in the examples below.
Why is SAS/SECURE important for SAS 9.4 users?
Now that you are an encryption expert, what can you do with it? Why should you be excited about SAS/SECURE being available with Base SAS in SAS 9.4? Here are a couple of key takeaways for you—including SAS/SECURE brings:
- a strong level of encryption to all SAS deployments running UNIX, Windows, or Z/OS (except where prohibited by import restrictions).
- a new encryption type for your stored passwords, SAS004 (AES encryption with 64-bit salt).
Please note that SAS/SECURE only refers to encryption, and not to other security features, such as authorization. For more, please read Encryption in SAS 9.4
Encoding a password in Base SAS
The PWENCODE procedure enables you to encode passwords. Here is the syntax for PROC PWENCODE:
Encoded passwords can be used in place of plaintext passwords in SAS programs that access relational database management systems and various servers (such as SAS/CONNECT servers, SAS/SHARE servers, and SAS IOM servers such as the SAS Metadata Server).
- If you submit the following PROC PWENCODE statement:
- The log file shows these results. Notice that each character of the password is replaced by an X in the SAS log file.
- Plan to reuse. You have many options for re-using this encrypted password. My favorite is creating a macro variable with the encrypted password. Make sure to include the macro in double quotes so that it resolves properly.
Protecting PDF output
PDF output is what many of our users tell me they use. Encryption of PDF files using ODS began in SAS 9.2. Since SAS/SECURE is now included in Base SAS 9.4, this has wider implications for more of our users. When your PDF file is not password protected, any user can use Acrobat to view and edit the PDF files. You can encrypt and password-protect your PDF output files by specifying the PDFSECURITY system option along with the PDFPASSWORD= option. Here are the steps in the process:
- I start by viewing the security properties of a PDF file by opening the PDF file, right-clicking inside the document, selecting Document Properties from the menu, and then clicking Show Details. Here are my PDF properties before applying encryption:
- I can apply encryption and password protection to my ODS PDF file by simply adding an OPTIONS statement to your SAS program:
- Now when I try to open the PDF file, it prompts me for my password:
- Here are my PDF properties after applying encryption:
Using AES-encrypted data files
You must use both of the following options when you want to use AES encryption.
- ENCRYPTKEY= data set option specifies a key value
- ENCRYPT= data set option now supports AES encryption.
(Please note that AES encryption is not supported for the “tape” engine. You can use ENCRYPT=YES for TAPE engine encryption, which uses the SAS Proprietary encryption algorithm that has been available with Base SAS since SAS 6.11).
- To use encrypted AES data files, you must use SAS 9.4 or later AND SAS/SECURE software. To copy an encrypted AES data file, the output engine must support AES encryption. Also, and this is very important, if you forget to record the ENCRYPTKEY= value, you lose your data. SAS cannot assist you in recovering the ENCRYPTKEY= value. Please see this example DATA step for where to specify these options.
- The resulting message in the log file below displays a warning that I cannot open the file or recover the data without the encryption key.
- Then I can use the key to work with that data- and I must use the ENCRYPTKEY= option when you are creating or accessing a SAS data set with AES encryption. This option only prevents access to the contents of the file. To protect the file from deletion or replacement, the file must also contain an ALTER= password.
Please let me know how encryption in Base SAS 9.4 will be useful for you!