Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account
Best Practice 8.1 – Encrypt data at rest - SAP Lens

Best Practice 8.1 – Encrypt data at rest

PDFRSS

Data at rest refers to any data stored digitally. We use encryption to ensure that this data is only visible to authorized users and remains protected when access to the storage or database is compromised independently of the application.

Suggestion 8.1.1 – Define at which levels encryption will be applied

In general, the further up the stack you deploy encryption, the more secure your data is. This increased security is accompanied by additional complexity for deployment and management. AWS recommends using the encryption at rest options available within its services. Consider additional operating system or database encryption when required, as defined in [Security]: Best Practice 5.3 - Assess the need for specific security controls for your SAP workloads.

Suggestion 8.1.2 – Understand AWS encryption options for SAP services and solutions

Many AWS services used by SAP support the encryption of data at rest. Refer to the following documentation for further details.

Data stored in these services can be encrypted at rest using either AWS or customer managed keys from AWS KMS.

Operating system encryption options include BitLocker, DM-crypt and SuSE Remote Disk.

The following links may assist with finding information about encryption options for your database:

Database Guidance
SAP HANA
SAP ASE SAP Documentation: SAP ASE Overview of Encryption
IBM Db2 IBM Documentation: Db2 Encryption Overview
Oracle SAP Note: 2591575 - Using Oracle Transparent Data Encryption (TDE) with SAP NetWeaver [Requires SAP Portal Access]
Microsoft SQL Server SAP Note: 1380493 - SQL Server Transparent Data Encryption (TDE) [Requires SAP Portal Access]
SAP MaxDB SAP Documentation: SAP MaxDB Database Administration - Encryption

Suggestion 8.1.3 – Define encryption methods and key management stores

Typically, key management is defined at the enterprise level and this will determine which key management options are permitted for use with your SAP workloads. AWS KMS is a secure and resilient service to simplify the management of encryption keys for AWS services. If you have a requirement to manage your own hardware security modules (HSMs), you can use AWS CloudHSM.

Also consider mechanisms to protect master keys. How do you restrict access, manage rotation, and ensure recoverability of the keys?

Be aware that HANA data at rest encryption root keys can only be stored securely in the instance secure store in the file system (Instance SSFS) or within the SAP Data Custodian SaaS Solution. If using instance store the master key could be stored in AWS Secrets Manager with a rotation policy.

Need help?

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.