Technology Blog Posts by SAP
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Backup & Restore Approach for SAP HANA Systems with Encryption Enabled

Prashant1109
Product and Topic Expert
Product and Topic Expert
‎2025 Sep 18 2:42 PM
0 Kudos
4,464

Hello Guys,

This blog is related to backup restore approach of sap hana system when encryption is enabled.

So, the first question is: What is encryption in backup and restore?
Backup encryption protects the contents of data backups, log backups, and delta/differential backups using the AES-256 encryption algorithm. The encryption is performed using Backup Encryption Root Keys (BEKs), which are 256 bits in length.

If ENCRYPTION is enabled for backups, restoring or refresh of that backup is slightly different from the normal process.

First, we need to verify if backup ENCRYPTION is enabled using the following command:

SELECT * FROM M_ENCRYPTION_OVERVIEW;

Prashant1109_1-1758195493030.png

If encryption is enabled for backup, we cannot directly restore the encrypted backup. We will need the SSFS root key used to encrypt the backup.

Process to Check the Encryption Keys Used for Backup & Log Encryption

How can I find out if the instance SSFS contains the root keys used to encrypt backups

/usr/sap/H46/HDB00/exe/hdbnsutil -printHashedRootKeys --dbid=<dbid> --verbose

Prashant1109_3-1758195815080.png

In the above screenshot keys are mentioned by which backup, logs are encrypted, this is just for our reference.

Here in the above screenshot dbid is there, we can find dbid by executing below command from SYSTEMDB.

SELECT DATABASE_NAME, CASE WHEN (DBID = '' AND DATABASE_NAME = 'SYSTEMDB') THEN 1 WHEN (DBID = '' AND DATABASE_NAME <> 'SYSTEMDB') THEN 3 ELSE TO_INT(DBID) END DATABASE_ID FROM (SELECT DISTINCT DATABASE_NAME, SUBSTR_AFTER (SUBPATH,'.') AS DBID FROM SYS_DATABASES.M_VOLUMES);

Prashant1109_4-1758196044717.png

Just for the knowledge purpose where is instance SSFS located on to the hana server.

The default path to the key file (SSFS_<SID>.DAT)  of the instance SSFS is

$DIR_GLOBAL/hdb/security/ssfs.

Note : Never manually change any of the files related to the instance SSFS. For all administrative tasks related to instance SSFS, use the SAP HANA tool hdbnsutil.

/usr/sap/SID/HDB<instance number>/exe/hdbnsutil.

If you already have root key backup and key passphrase by which backup encrypted then its easy for you to restore, otherwise you have to follow below steps .

Backup Root keys 

-----------------------------

Below are the steps for exporting the root keys from the instance SSFS:

  1. The encryption root key backup is secured using a passphrase, which must be set before creating the SSFS key backup (export).

  2. To set the passphrase, the system privilege ENCRYPTION ROOT KEY ADMIN is required.

  3. Use the following SQL statement to set the encryption root key backup passphrase:

  4. ALTER SYSTEM SET ENCRYPTION ROOT KEYS BACKUP PASSWORD "<passphrase>";

Prashant1109_0-1758200080801.png

As per the above image root key password has been changed for both systemDB & tenantDB.

Once the passphrase is set, you can export the encryption root key from the source system.

To backup the encryption root keys, use export root key functionality.
/usr/sap/H46/HDB00/exe/hdbnsutil -backupRootKeys <filename>.rkb --dbid=<dbid> --type='ALL'

Prashant1109_4-1758200869956.png

Prashant1109_3-1758200838073.png

Importing Source system Root Keys into Target System.

you need to import the source system’s backup root keys into the target system. However, before importing the source root key, ensure that you take a backup of the target system’s encryption keys.

First transfer & validate the password for the source system root key backup file ( *.rkb) in target system before import.
/usr/sap/H46/HDB00/exe/hdbnsutil -validateRootKeysBackup <filename>.rkb.

To import the source system root key file into target, make sure target database must be offline, otherwise you will get below error message

Prashant1109_5-1758201516926.png

Import the backup encryption root keys by using following command.

./hdbnsutil -recoverRootKeys <filename>.rkb --dbid=<dbid> --type=<type>

Prashant1109_6-1758201642481.png

now validate backup root key for both system before starting actual restore of database.

dbid 4 backup key and dbid 3 backup key both are same now.

Prashant1109_7-1758201792870.png

Prashant1109_8-1758201918142.png

Now we are ready to proceed with the restore using the normal process, as the source root keys have been successfully imported into the target system.

Prashant1109_9-1758202074316.png

I performed this on my trial system. Before carrying out any activities related to encryption root keys in your environment, it is strongly recommended to review 2444090 - FAQ: SAP HANA Backup Encryption - SAP for Me

Thank you for reading! Feel free to drop comments or questions — I’d be happy to help.

2 Comments
RalfCzekalla
Associate
Associate
‎2025 Sep 19 7:39 PM
0 Kudos

Thanks a lot Prashant for this comprehensive blog post about Backup & Recovery encryption!

The only change I would like to ask for is, to drop one of the labels on top within the "SAP MANAGED TAGS" :
In SAP HANA Cloud, HANA database customers have no possibility to access or execute hdbnsutil as described in this blog post.
Accordingly, this blog post is purely about SAP HANA 2.0 (of course, also this could be operated in environments of our cloud service provider partners, but still would not be named SAP HANA Cloud) and should be labeled as such only with SAP HANA. 

Thanks a lot
Ralf
SAP HANA & HANA Cloud Product Management

Prashant1109
Product and Topic Expert
Product and Topic Expert
‎2025 Sep 22 8:48 AM
0 Kudos

Hi Ralf,

Yes correct its only for SAP Hana 2.0, Thank you for the suggestion, I have made the changes in SAP Managed tags. 

Thanks

Prashant