SAS passwords restrict access to SAS data files within SAS, but SAS passwords cannot prevent SAS data files from being viewed at the operating environment system level or from being read by an external program.
Encryption provides security of your SAS data outside of SAS by writing to disk the encrypted data that represents the SAS data. The data is decrypted as it is read from the disk.
Encryption does not affect file access. However, SAS honors all host security mechanisms that control file access. You can use encryption and host security mechanisms together.
Encryption is implemented with the ENCRYPT= data set option. You can use the ENCRYPT= data set option only when you are creating a SAS data file. You must also assign a password when encrypting a file. At a minimum, you must specify the READ= or the PW= data set option at the same time you specify ENCRYPT=YES. Because passwords are used in the encryption method, you cannot change any password on an encrypted data set without re-creating the data set.
The following rules apply to data file encryption:
To copy an encrypted SAS data file, the output engine must support encryption. Otherwise, the data file is not copied .
Previous releases of SAS cannot use an encrypted SAS data file. Encrypted files work only in Release 6.11 or in later releases of SAS.
You cannot encrypt SAS data views, because they contain no data.
If the data file is encrypted, all associated indexes are also encrypted.
Encryption requires roughly the same amount of CPU resources as compression.
You cannot use PROC CPORT on encrypted SAS data files.
This example creates an encrypted SAS data set:
data salary(encrypt=yes read=green); input name $ yrsal bonuspct; datalines; Muriel 34567 3.2 Bjorn 74644 2.5 Freda 38755 4.1 Benny 29855 3.5 Agnetha 70998 4.1 ;
To print this data set, specify the read password:
proc print data=salary(read=green); run;
SAS extends password protection and encryption to other files associated with the original protected file. This includes generation data sets, indexes, audit trails, and copies. When accessing protected or encrypted generation data sets, indexes, audit trails, and copies of the original file, the same rules, syntax, and behavior for invoking the original password protected or encrypted files apply. Data views cannot have generation data sets, indexes, and audit trails.