As we all aware that SAP is recommending the Secure Store File System ( SSFS ) and is being protected by Master keys which an Administrator can change. In HANA too default Master keys are provided to protect SSFS in HANA.

It is recommended to change the master keys if the HANA appliance is provided with installed HANA.  To change the keys, user <SID>ADM  is needed with “system privilege INIFILE Admin “.

SSFS is used to protect the root encryption keys  which protect all encryption keys used in SAP HANA database from unauthorized access.The root key used for internal data encryption service of the database and Data volume encryption.

In Multi-tenant database containers, System Database & all tenant databases have their own root encryption keys for both data encryption service and data volume encryption.

Please note never open these SSFS keys files at OS level.

SSFS are instance specific, so in case of Distributed SAP HANA system, every host must have access to instance ssfs master key. In case of Multi-tenant database containers, the SSFS  master keys only have to be changed only once for the instance not for each tenant database container.

To change the SSFS master key, HANA system need to be stopped.

For file system copy based installations , Instance SSFS  Master key file must be backed up and restore manually. In regular backup and recovery scenarios ( Snap shots also ) master key will not be in backup.