Legacy Method for Using Individual Encryption Keys
We do not recommend that you use this legacy method for individual encryption keys. It is replaced by the method described in Using Individual Encryption Keys.
The individual encryption key is stored in the file system of the application server. The location and file name are configured by profile parameter rsec/securestorage/keyfile.
Its default value points to a directory in the shared file system of the application servers (($(DIR_GLOBAL)/security/data) and uses the file name SecStoreDBKey.pse.
The "PSE" file extension is usually used by the cryptographic library to store security certificates. The file containing the individual encryption key for the secure storage does not have this type, but it uses this file extension to benefit from enhanced access control for PSE files in ABAP code.
The key file is a plain text file. If it does not exist or is empty, the Default Key is used to encrypt new records and to decrypt existing records. If it exists and is not empty, it contains one or two encryption keys separated by a semicolon. Each encryption key is a sequence of 48 hexadecimal characters (0..9, A..F, a..f). The first (primary) encryption key is used to encrypt newly-created records and to decrypt records. The second (secondary) encryption key is used as a fallback when the primary encryption key fails to decrypt a record during a read operation.
-
Store the key file in a way that all application servers can access it.
-
Use access authorizations to protect the key file at operating system level, so that only the system can read the file.
-
Only use the legacy key file tool to maintain the key file. For more information, see the related link.