If you’re not an expert on encryption, have no fear! SAS 9.4 has introduced ways to bring stronger encryption to your SAS deployment. The good news is that SAS/SECURE is now a part of Base SAS when you upgrade to SAS 9.4 and is not a separately licensed product anymore.
This is great news for our SAS administrators! But, what if you’re not an expert on encryption? Let’s take a look really quickly at the basics of encryption:
What is encryption?
Encryption refers to the process of protecting data. Encryption is the transformation of intelligible data (plaintext) into an unintelligible form (ciphertext) by means of a mathematical process. The ciphertext is translated back to plaintext when the appropriate key that is necessary for decrypting (unlocking) the ciphertext is applied. There are two primary forms of encryption:
- Over-the-wire encryption protects data while it is in transit. Passwords in transit to and from SAS servers are encrypted or encoded.
- On-disk encryption protects data at rest. Passwords in configuration files, metadata login passwords, and metadata internal account passwords are encrypted or encoded.
Cryptography refers to the science of encoding and decoding information to protect its confidentiality. Encryption is a type of cryptography.
Algorithm in encryption refers to the mathematical process that is applied to transform the plaintext into ciphertext. Examples of algorithms supported by SAS/SECURE include:
- AES (Advanced Encryption Standard)
- DES (Data Encryption Standard)
- RC4 (a type of stream cipher, proprietary algorithm developed by RSA Data Security, Inc.).
AES is one of the most popular algorithms used in symmetric key cryptography and is newly available in SAS/SECURE over SAS 9.4. It is also the algorithm I will use in the examples below.
Why is SAS/SECURE important for SAS 9.4 users?
Now that you are an encryption expert, what can you do with it? Why should you be excited about SAS/SECURE being available with Base SAS in SAS 9.4? Here are a couple of key takeaways for you—including SAS/SECURE brings:
- a strong level of encryption to all SAS deployments running UNIX, Windows, or Z/OS (except where prohibited by import restrictions).
- a new encryption type for your stored passwords, SAS004 (AES encryption with 64-bit salt).
Please note that SAS/SECURE only refers to encryption, and not to other security features, such as authorization. For more, please read Encryption in SAS 9.4
Encoding a password in Base SAS
The PWENCODE procedure enables you to encode passwords. Here is the syntax for PROC PWENCODE:
Encoded passwords can be used in place of plaintext passwords in SAS programs that access relational database management systems and various servers (such as SAS/CONNECT servers, SAS/SHARE servers, and SAS IOM servers such as the SAS Metadata Server).
- If you submit the following PROC PWENCODE statement:
- The log file shows these results. Notice that each character of the password is replaced by an X in the SAS log file.
- Plan to reuse. You have many options for re-using this encrypted password. My favorite is creating a macro variable with the encrypted password. Make sure to include the macro in double quotes so that it resolves properly.
Protecting PDF output
PDF output is what many of our users tell me they use. Encryption of PDF files using ODS began in SAS 9.2. Since SAS/SECURE is now included in Base SAS 9.4, this has wider implications for more of our users. When your PDF file is not password protected, any user can use Acrobat to view and edit the PDF files. You can encrypt and password-protect your PDF output files by specifying the PDFSECURITY system option along with the PDFPASSWORD= option. Here are the steps in the process:
- I start by viewing the security properties of a PDF file by opening the PDF file, right-clicking inside the document, selecting Document Properties from the menu, and then clicking Show Details. Here are my PDF properties before applying encryption:
- I can apply encryption and password protection to my ODS PDF file by simply adding an OPTIONS statement to your SAS program:
- Now when I try to open the PDF file, it prompts me for my password:
- Here are my PDF properties after applying encryption:
Using AES-encrypted data files
You must use both of the following options when you want to use AES encryption.
- ENCRYPTKEY= data set option specifies a key value
- ENCRYPT= data set option now supports AES encryption.
(Please note that AES encryption is not supported for the “tape” engine. You can use ENCRYPT=YES for TAPE engine encryption, which uses the SAS Proprietary encryption algorithm that has been available with Base SAS since SAS 6.11).
- To use encrypted AES data files, you must use SAS 9.4 or later AND SAS/SECURE software. To copy an encrypted AES data file, the output engine must support AES encryption. Also, and this is very important, if you forget to record the ENCRYPTKEY= value, you lose your data. SAS cannot assist you in recovering the ENCRYPTKEY= value. Please see this example DATA step for where to specify these options.
- The resulting message in the log file below displays a warning that I cannot open the file or recover the data without the encryption key.
- Then I can use the key to work with that data- and I must use the ENCRYPTKEY= option when you are creating or accessing a SAS data set with AES encryption. This option only prevents access to the contents of the file. To protect the file from deletion or replacement, the file must also contain an ALTER= password.
Please let me know how encryption in Base SAS 9.4 will be useful for you!
--Wendy
11 Comments
Wendy
I have found your article very helpful but I am trying to create a report for 169 different school districts using a do loop within a macro. I need to have a different password for each district. My code works fine if I wanted to have the same password for every district but I get an error if I try to use the macro variables. An excerpt of the code is below. Thanks.
%macro pdfprint;
%let x = 999;
%do x = 1 %to 169;
%let name = dist&x..pdf;
%let number = &x*2.58;
%let pwd = "enum2019&number";
options PDFSECURITY=HIGH PDFPASSWORD=(owner="RJCENUM" open="&pwd");
ODS PDF file="\\sde-fs1hfdrn\public\cloud\ENUMERATION\Enum2019a\&name";
ODS PROCLABEL 'Public & Nonpublic Enrollment by Town of Residence';
Proc Print noobs data=final1 uniform split='*';
Hello,
I wanted to add something that works very well for us regarding secured, or I would say prohibited, access to logins and passwords, encrypt keys, etc.
Another way of doing things is to put you connection credentials or encrypt keys in a file that is stored in a limited access location, for example only to system administrators. Then when these parameters are necessary for your customers you can simply tell them to include the file in their script, but this is only completely secured if the information are not shown in the log files. To avoid that you enclose your parameter file with the statements.
For example you can :
1. create a connection file "mysql.sas" to access a MySQL Database :
/* ======================================== */
options nonotes nosource nosource2 ;
%let my_server=myServerName ;
%let my_port=9999 ;
%let my_database=myDB ;
%let my_user=myUser ;
%let my_password=myPwd ;
libname my1139 mysql server=&my_server port=&my_port database=&my_database user=&my_user password=&my_password ;
options notes source source2 ;
/* ======================================== */
2. Save this file in a secure place that is only accessible the system admins only
3. In the script that need to access the Database you just add the following statement :
include (path-to-my-secure-connections/mysql.sas) /* this is for a UNIX environment */
Best Regards,
Vincent M.
Another interesting way of secure/encrypt your data is *Secured Libraries* :
http://support.sas.com/documentation/cdl/en/seclibag/66930/HTML/default/viewer.htm#n0tzurc8qfze0vn13z4n6j6mzz14.htm
Hi Wendy,
To be sure to understand. If during the deployment I specify encryapting "everything" using AES, does that mean that each SAS Datasets produce by a SAS tool (like DI) will be encrypted?
Or it is simply password stored in SAS files (code, Data sets, metadata)?
Regards
Hi Yann,
Data and Passwords in transit only. To encrypt SAS datasets on disk (using SAS) you would need to use a Metadata Bound library. With Metadata Bound libraries, only AES encryption is available.
For details, see: http://support.sas.com/documentation/cdl/en/seclibag/66930/HTML/default/viewer.htm#p1n6n3za1i6vqdn1te0skoywkiom.htm
Thank you!
Wendy
Dear Wendy,
I don't suppose that there is a SAS supported method of encrypting a single column within a SAS dataset is there? I have seen macros that I can write to apply mathematical methods to a given field, but I was wondering if SAS had anything. I have a need to scramble an account number before I send some data to an outside enterprise.
Jim
Hi Jim,
Great question! SAS does have a way to accomplish this, in SAS Federation Server. This is what we refer to when we talk about "data masking":
https://www.sas.com/content/dam/SAS/en_us/doc/factsheet/sas-federation-server-105943.pdf
Here's a nice SAS blogs post that goes into a little more detail: http://blogs.sas.com/content/sgf/2017/03/08/securing-sensitive-data-using-sas-federation-server-data-masking/
Also, on our SAS communities page, there is a great thread about this topic that might give you some ideas:
https://communities.sas.com/t5/Base-SAS-Programming/Data-masking-Implement-a-cipher/td-p/20644
Hope that helps!
Wendy
Hi, Wendy,
Thank you for your reply. I just got back from a short vacation, but I will check this out. It sounds like just what the Doctor ordered. 🙂
Jim
If AES was not selected as the installation option in 9.4 in place of SASProprietary, can some of the configuration steps (Encryption Tasks) described in "Encryption in SAS" or the Security Administration Guide for 9.4 still be used to change the encryption level for stored passwords. In other words, is it possible to upgrade stored passwords as a post-installation task?
Hi Ken, thanks for writing. My apologies for the delay- I wanted to reach out to our experts to make sure I was giving you the best information. The answer is yes, you can upgrade stored passwords as a post-installation task. Please see the below links for more information.
How to Maximize Encryption of Stored Passwords: http://support.sas.com/documentation/cdl/en/bisecag/67045/HTML/default/viewer.htm#n03umoj06sajz1n1piy8h2d0jfrd.htm
PWENCODE Procedure: http://support.sas.com/documentation/cdl/en/secref/66817/HTML/default/viewer.htm#n1vzmasf0tdebfn1xec0k1tevq7q.htm
This may be useful as well:
How to Re-Encrypt Stored Passwords: http://support.sas.com/documentation/cdl/en/bisecag/67045/HTML/default/viewer.htm#n1p18cmmqzjwpin19f7mbu9yrx0f.htm
For further information, please do not hesitate to reach out to our wonderful SAS Technical Support Team! Thank you!
I received the below question to this post:
"Problem with PWENCODE is that if someone is able to take the encoded password they are still able to utilize it as SAS will resolve that password. i.e. the &mypw.
So what is the best way to store let say SQL database password that can only be then used by you.. the password should be stored in a encrypted file or sas dataset and then resolved before you run the program.. i.e. providing the Macro Variable with the encrypted key is not a very good protection as that encrypted key can directly be used in a given SAS program."
You have identified a common concern to using the password as I listed above. The "Pro" of using the password like I have listed is that it does not print the actual password in the code or in the log file, and soneone cannot pick it up and go access your database with your userid and password. The "Con" is that someone can utilize SAS itself to run that userid and password.
So what are some ways around this?
Typically, I've put the %let statement above inside my own autoexec file. That way, only running code under my instance of SAS with my SAS login credentials would allow the code to properly run with my encoded password.
What are other ideas you have used for protecting your encrypted password?
Thank you!
Wendy