Configure and Manage Bring Your Own Key (BYOK)

You can enable Bring Your Own Key (BYOK) to use SAP Data Custodian encryption keys with SAP Analytics Cloud.

SAP Data Custodian Key Management Service technical users are used to connect third-party applications to your SAP Data Custodian tenant; to automate key lifecycle management features; and to create groups, keys, and application technical users.

Create an Application Technical User

Prerequisites

You must have an active Key Administrator role to complete this activity.

Context

Application Technical Users (APP TU) allow you to connect third-party applications to your SAP Data Custodian Key Management Service tenant.

Procedure

  1. Log on to your SAP Data Custodian tenant.
  2. Select a group from the dashboard.
  3. Select User tab.
  4. Select Create Technical User button.
  5. Complete the Key Details section.
    1. Enter a Username.
    2. Enter a Description.
  6. Complete the Permissions section.
    Note

    Once the APP TU is created, you will not be able to add more permissions. You can only remove permitted operations by editing the APP TU.

    1. Select an Crypto, Rotate and Read.
  7. Review input details and finalize user creation.

Generate an Application Technical User Credential

Prerequisites

You must have an active Key Administrator role to complete this activity.

Context

Application Technical User (APP TU) credentials are used to connect your systems to SAP Data Custodian. The credentials file generated in this activity contains your Access Key.txt, API Endpoints.txt, Certificate Download Link.txt, and Secret Key.txt files, which will be needed for other configuration activities.

Procedure

  1. Log on to your SAP Data Custodian tenant.
  2. Select the newly created technical user from the Technical Users table.
  3. Select Generate Credential button.
  4. Enter a Credential name.
  5. Select the Download button.
  6. Save the file.
    You will need this file for the configuration steps below.
    Note

    There is a one-to-one mapping between an APP TU credential and an APP TU. A new technical user must be created for every new APP TU credential.

Generate an Encryption Key

Prerequisites

You must have an active Key Administrator role to complete this activity.

Context

Encryption keys, generated from SAP Data Custodiam Key Management Service sign root encryption keys in SAP HANA systems. This provides control such as key rotation and key invalidation in the event of data breach to the key administrator.

Procedure

  1. Log on to your SAP Data Custodian tenant.
  2. Select the Keys tab.
  3. Click the Create or Restore Key button.
    1. Complete the Key Details section.
      1. Enter Key Name.
      2. Enter Key Description.
      3. Check the Allow Key Export box.
    2. Complete the Creation Properties section.
      1. Select Generate.
      2. Select RSA for encryption method.
    3. Complete the RSA Properties section.
      1. Select RSA size.
    4. Complete the Key Operations section.
      1. Select Encrypt, Decrypt, Sign and Verify.
  4. Copy the Key ID.

    You will need the Key ID for the configuration steps below.

Enable Encryption With Customer-Controlled Keys (BYOK)

Context

  • You must have an Administrator role with the BYOK administration privilege enabled inSAP Analytics Cloud.
  • You must complete the tasks above before adding a key to SAP Analytics Cloud.
Enabling Bring Your Own Key (BYOK) using a SAP Data Custodian Key Management Service-provided key allows you to actively manage the encryption status of your data.

Procedure

  1. Log on to your SAP Analytics Cloud tenant.
  2. Go to Start of the navigation path System Next navigation step  Administration Next navigation step External SystemsEnd of the navigation path
  3. In the Bring Your Own Key (BYOK) section, select Set Up Primary Key.
  4. Add the following information:
    1. Enter the SAP Data Custodian Tenant Name.
    2. Enter the Encryption Key ID.
      This is the key you retrieved from the steps in Generate an Encryption Key above.
    3. Enter the Technical User API Endpoint.
      Note

      Only the host part from the API Endpoint file should be filled in the form.

      For example, if the file contains: 
      https://kms-api-demo.datacustodian.cloud.sap/kms/api

      The Technical User API Enpoint is: kms-api-demo.datacustodian.cloud.sap

    4. Enter the Technical User Access Key.
      This is the key you retrieved from the steps in Generate an Application Technical User Credential above.
    5. Enter the Technical User Secret Key.
      This is the key you retrieved in the steps to Generate an Application Technical User Credential above.

(Optional) Enable Second Access Key

Prerequisites

  • You must have an Administrator role with the BYOK administration privilege enabled inSAP Analytics Cloud.
  • You must complete the tasks above before adding a key to SAP Analytics Cloud.
  • You must have a private / public certificate pair.

Context

Enabling a second access key for BYOK provides a recovery mechanism in the event of a critical failure of the SAP Data Custodian Key Management service. The mechanism for recovery requires the private key of the pair to trigger the procedure. Since this key would be provided to SAP in the event of a disaster, you must generate the pair with the appropriate security and access scopes.

Procedure

  1. Log on to your SAP Analytics Cloud tenant.
  2. Go to Start of the navigation path System Next navigation step  Administration Next navigation step External SystemsEnd of the navigation path
  3. In the Bring Your Own Key (BYOK) section, select Set Up Secondary Key.
  4. Add the following information:
    1. Enter the public part of the certificate key pair.
    2. Enter the Technical User Access key.
      This is the key you retrieved from the steps in Generate an Application Technical user Credential above.
    3. Enter the Technical User Secret Key.
      This is the key you retrieved from the steps to Generate an Application Technical user Credential above.

Disable Encryption ith Customer-Controlled Keys (BYOK)

Prerequisites

You must have an Administrator role with the BYOK administration privilege enabled inSAP Analytics Cloud.

Context

Removes the integration between the SAP Data Custodian Key Management Service and the encryption of data in SAP Analytics Cloud.

Procedure

  1. Log on to your SAP Analytics Cloud tenant.
  2. Go to Start of the navigation path System Next navigation step  Administration Next navigation step External SystemsEnd of the navigation path
  3. In the Bring Your Own Key (BYOK) section, select Disable BYOK.
  4. Confirm Disable in the dialog that appears.