> Commvault Cloud > Database > SAP HANA > Configuration

Backing up and Recovering Encryption Keys on System and Tenant Databases

You can backup and recover encryption keys on SYSTEMDB and Tenant databases. Commvault Cloud supports HANA 2.0 SPS07 if encryption is not enabled for the HANA SID. If encryption is enabled for the HANA SID and you want to perform an in-place restore, verify that the the encryption key is same between backup and restore.

If encryption is enabled for the HANA SID and you want to perform an out-of-place restore (database copy), copy the encryption keys from the source to the target SID before restoring the data. It is not needed to copy the encryption keys for subsequent restores unless the key on the source has changed.

To back up and recover encryption keys on SYSTEMDB:

  1. Use hdbsql to log on as the SYSTEMDB user:

    hdbsql -i <Instance number> -d SYSTEMDB -u system -p <password>

  2. Back up root key for SYSTEMDB using any one of the following command:

    • Use hdbsql to run the following command:

      hdbsql SYSTEMDB=> ALTER SYSTEM ENCRYPTION CONFIGURATION CONTROLLED BY SYSTEM DATABASE
0 rows affected (overall time 2403.486 msec; server time 2403.314 msec)
hdbsql SYSTEMDB=> ALTER SYSTEM SET ENCRYPTION ROOT KEYS BACKUP PASSWORD Test1234
0 rows affected (overall time 3642.948 msec; server time 3642.758 msec)
hdbsql SYSTEMDB=> BACKUP ENCRYPTION ROOT KEYS USING FILE ('backup001')
0 rows affected (overall time 9620.653 msec; server time 9620.465 msec)

    • Use hdbnsutil to run the following command:

      encadm@sdehana01:/usr/sap/ENC/HDB07/backup/sec/SYSTEMDB> hdbnsutil -backupRootKeys dbid1_rootkeys --database_name=SYSTEMDB

  3. Export root key backup for SYSTEMDB (DBID: 1):

    encadm@sdehana01:/usr/sap/ENC/HDB07/backup/sec/SYSTEMDB> ll
total 8
-rw-r----- 1 encadm sapsys 1440 Jun 7 17:40 backup001_rootkeys
-rw-r----- 1 encadm sapsys 1440 Jun 7 17:46 dbid1_rootkeys

    By default, the file is saved to the folder: /usr/sap/ENC/HDB07/backup/sec/SYSTEMDB.

  4. Copy the root key from source to target:

    encadm@sdehana01:/usr/sap/ENC/HDB07> scp -r /usr/sap/ENC/HDB07/backup/sec/SYSTEMDB/backup001_rootkeys
pncadm@sdehana02:/usr/sap/PNC/HDB03/backup/sec/SYSTEMDB/
pncadm@sdehana02's password:
backup001_rootkeys     100% 1440   9MB/s   0:00

  5. After the root key is copied from source to target system, run the root key recover command:

    h07adm@sde-newhana1:/usr/sap/<target-SID>/HDB09/backup/sec/SYSTEMDB> hdbnsutil -recoverRootKeys /usr/sap/<target-SID>/HDB09/backup/sec/SYSTEMDB/backup001_rootkeys --database_name=SYSTEMDB
Please Enter the password:
Importing root keys for DBID: 1 from /hana/shared/<target-SID>/HDB09/backup/sec/SYSTEMDB/backup001_rootkeys
Successfully imported root keys from /hana/shared/<target-SID>/HDB09/backup/sec/SYSTEMDB/backup001_rootkeys
done.

    You are ready to submit an out-of-place restore from the CommCell Console or the Command Center.

To back up and recover root keys on a tenant database:

  1. Log on to the tenant database using hdbsql: 

    hdbsql <tenant DB>=> ALTER SYSTEM ENCRYPTION CONFIGURATION CONTROLLED BY SYSTEM DATABASE
0 rows affected (overall time 2409.361 msec; server time 2409.055 msec)

  2. Log on to hdbsql as SYSTEMDB to set the root key password on the tenant DB.

    hdbsql SYSTEMDB=> ALTER DATABASE <tenant DB> SET ENCRYPTION ROOT KEYS BACKUP PASSWORD Test1234
0 rows affected (overall time 2419.350 msec; server time 2419.127 msec)

  3. Back up the root key for tenant DB using any one of the command:

    • Use hdbsql to run the following command:

      hdbsql SYSTEMDB=> BACKUP ENCRYPTION ROOT KEYS FOR NET USING FILE ('backup003')
0 rows affected (overall time 21.353 msec; server time 21.044 msec)
netadm@sdehana02:/usr/sap/NET/HDB01> ll /usr/sap/NET/HDB01/backup/sec/DB_NET/
total 4
-rw-r----- 1 netadm sapsys 1600 Jun 21 23:14 backup003_rootkeys

    • Use hdbnsutil to run the following command:

      netadm@sdehana02:/usr/sap/NET/HDB01> hdbnsutil -backupRootKeys dbid3_rootkeys --database_name=NET
Exporting root key backup for database NET (DBID: 3) to /hana/shared/NET/HDB01/dbid3_rootkeys
done

  4. Copy the root key to the target system as you did for SYSTEMDB.

  5. After you copy the root key from source to target system, run the root key recover command:

    Example:

    <target-SID>adm@sde-newhana1:/usr/sap/<target-SID>/HDB09/backup/sec/SYSTEMDB> ll
total 8
-rw-r----- 1 <target-SID>adm sapsys 1440 Jul  6 16:33 backup001_rootkeys
-rw-r----- 1 <target-SID>adm sapsys 1440 Jul  7 11:00 dbid3_rootkeys
h07adm@sde-newhana1:/usr/sap/<target-SID>/HDB09/backup/sec/SYSTEMDB> hdbnsutil -recoverRootKeys dbid3_rootkeys --database_name=<target-SID>
Please Enter the password:
Importing root keys for DBID: 3 from /hana/shared/<target-SID>/HDB09/backup/sec/SYSTEMDB/dbid3_rootkeys
Successfully imported root keys from /hana/shared/<target-SID>/HDB09/backup/sec/SYSTEMDB/dbid3_rootkeys
done.

You are ready to submit an out-of-place restore from the Command Center.

Loading...