SAP ASE 16 : A Tale of Two Encryptions

    By: Mr. Jeff Tallman on Jun 01, 2014

    In this article, Jeff Tallman discusses differences between encrypted columns and full database encryption, provides the good/bad and ugly about choosing one over the other, and clarifies why the docs suggests that full database encryption should be used over column encryption for range scans.

    In SAP ASE 16, SAP introduced a “new” feature: full database encryption. Some might wonder why we would do that when we already had encrypted columns. Others simply question which one is better. The answer is not so simple.

    Encrypted Columns
    About a decade ago, SAP ASE introduced encrypted columns formally in SAP ASE 12.5.4 (there was an early adopters release 12.5.3a). This was fur ther extended with some additional datatypes and features in the SAP ASE 15.0 releases and offers some unique advantages over the competition’s column encryption options:

    • Decrypt permission
    • Decrypt default
    • Indexable high cardinality columns
    • Replicated as ciphertext

    Now there are a bunch of other features, but mostly they are common to other DBMS’s as well, so they are not listed above. However, the third bullet was very interesting – simply put, SAP ASE could outperform other data bases with encrypted data. However, there was still an impact.

    Essentially, all operations within the system operated on the encrypted data as it was encrypted prior to optimization and wasn’t decrypted until the query result rows were being materialized. This meant that the data was encrypted not only on disk, but also in-memory.

    There is, of course, one problem with that. What is stored in the logical page is not the data value, but rather the ciphertext. This means that if the value is indexed, the index also contains the ciphertext. This is where the problem starts. Indexes are sorted according to the typical alphabetical sequence. Since the data is now encrypted, values that used to be contiguous (e.g. Aardvarke and Abalone) instead now are located randomly within the index leaf based on the sorting of the cipher-text values


    Login to read the article. Not a member? Create a free account!

    Released: June 1, 2014, 4:35 pm | Updated: July 17, 2014, 10:08 am
    Keywords: ASE DBA Article | Technical Journal | ASE | Column Encryption | Database Encryption | Encryption




    Copyright © 2014 ISUG-TECH. All Rights Reserved
    All material, files, logos and trademarks within this site are copyright their respective organizations

    Terms of Service - Privacy Policy - Contact the Help Desk