Configuring tenant encryption

Tenant admins can configure tenant encryption settings. By default, a new tenant uses the Qlik Internal KMS to encrypt content in the tenant. If your organization wants to use its own customer managed key (CMK) to encrypt tenant data, you can configure tenant encryption to use a CMK from a supported key provider.

Qlik Cloud supports using a CMK from the Amazon Web Services (AWS) Key Management Service (KMS). Customers can choose to use the same key for multiple tenants, through the AWS KMS key policy definition, although this is not recommended as best practice. The CMK and AWS KMS integration will maintain per tenant encryption using the AWS KMS API's encryption context, but you must configure encryption for each tenant individually. Customers or partners enabling tenants for use by multiple end-user organizations are required to implement individual keys per end-user organization.

You can only use CMK with tenants (either new or existing tenants) that are empty. The tenant must not contain any data, apps, or content when you set up tenant encryption. However, you can set up your IdP before you configure encryption in the tenant. It is strongly recommended that you configure encryption settings immediately after your tenant is created and before any use. Once you change the key provider to use your CMK, all at-rest data in the tenant will be encrypted and decrypted using these keys. You cannot revert back to using Qlik Internal KMS keys for encryption.

CMK prerequisites

You must have an AWS account and AWS KMS key to use CMK with Qlik Cloud. For more information about setting up an AWS KMS account and creating an AWS KMS key, see AWS Key Management Service (KMS).

Once you have completed the setup in AWS, you can change the key provider in the tenant to use your AWS KMS key.

Changing the key provider in the tenant

Before you change the key provider, verify that your AWS KMS key and policy have been correctly configured in AWS KMS. See AWS Key Management Service (KMS). Qlik Cloud supports the following key providers:

Qlik Internal KMS (this is the default KMS using Qlik-managed keys)
AWS KMS

Make sure to use an empty, unused tenant that does not contain any data, apps, or content, except for IdP settings.

Do the following:

In the Management Console, go to Settings.
Under Tenant encryption, click Change key provider.
Select the master key provider from the list, for example, AWS KMS.
Enter the parameters required by the key provider, and then click Apply. For example, for AWS KMS, you must enter either the KMS key ARN or the alias ARN. The key ARN is the Amazon Resource Name (ARN) for a KMS key. The alias ARN is the Amazon Resource Name (ARN) of the AWS KMS alias (the friendly name given for the AWS KMS key when the key was created). For more information, see KMS key ARN and alias ARN.

Tip noteFor information about how to find the key ARN or alias ARN of a KMS key, see Finding the key ID and key ARN or Finding the alias name and alias ARN.
Confirm that you want to change the key provider, and then click Change.
Click Done to complete the process.

Once your tenant is configured for CMK, if you disable or delete your CMK, tenant data cannot be decrypted using these keys. For a disabled key, if the key is re-enabled, access to the data will be re-established. For a deleted key, access to the data will be permanently lost. For more information, see Key management in AWS KMS.

You can verify the change to the encryption key provider on the Events page in the Management Console. The events log captures the following encryption event type: com.qlik.v1.encryption.keyprovider.created.
Events in AWS KMS are logged to AWS CloudTrail under Event History. Search for the Event Names: GenerateDatakey or Decrypt.

AWS Key Management Service (KMS)

Qlik Cloud supports using a customer managed key (CMK)—Amazon refers to this as an AWS KMS key or KMS key—from AWS KMS to encrypt and decrypt your tenant data.

Below are the general steps required to set up AWS to use with CMK. You must create an AWS KMS account, create your AWS KMS key, and configure your key policy for use with Qlik Cloud CMK. Once you have completed the setup in AWS KMS, you can change the key provider in your Qlik Cloud tenant to use an AWS KMS key. See Changing the key provider in the tenant.

Create an AWS account

Go to Amazon Web Services and create an account.

Your AWS KMS account must be in the same region as your Qlik Cloud tenant.

Create a symmetric AWS KMS key

In AWS, create a key using the AWS KMS Management Console or through the AWS KMS API using the CreateKey command. When creating your key, configure these settings as follows:

AWS Region—Select the region where your Qlik Cloud tenant is hosted. Supported Qlik Cloud regions and their associated AWS region names are listed below. Currently only single region keys are supported.
- Americas (USA)—us-east-1
- Europe (Ireland)—eu-west-1
- Asia-Pacific 1 (Singapore)—ap-southeast-1
- Asia-Pacific 2 (Australia)—ap-southeast-2
- GovCloud (USA)—us-gov-west-1
Key Type—Symmetric. CMK does not support asymmetric keys.
Key Usage—Encrypt and Decrypt

Other settings during key creation include:

Entering a key alias
Defining the IAM users and roles who can administer the key
Selecting the IAM users and roles who can use the key in cryptographic operations
Configuring the key policy.

For more information about creating an AWS KMS key, see Creating keys.

Configure the AWS KMS key policy

The key policy controls access to the AWS KMS key. Each key has its own policy. The key policy must include the minimum information and permissions required to use your AWS KMS key with Qlik Cloud Customer Managed Keys. When you create a key using the AWS KMS Management Console, AWS KMS creates a default key policy with statements based on your selections during key creation. These statements determine the IAM users and roles in your account who can administer the key and use the key in cryptographic operations.

You must edit the default key policy to add the permissions and parameters required to use the key with Qlik Cloud CMK. These include:

Allowing Qlik's AWS proxy accounts and required IAM roles to generate a data key, encrypt, and decrypt data using your AWS KMS key. Separate IAM roles must be added to the key policy to use CMKs with Qlik Application Automation.
Identifying your Qlik Cloud TenantID. Tenant ID is used as the encryption context. AWS KMS uses the encryption context as additional authenticated data (AAD) to support authenticated encryption. This means that one tenant cannot decrypt another tenant's cipher keys. See Encryption context. If you are using the same KMS key for multiple tenants, you must include the Tenant ID for each tenant in the key policy.

Do the following:

Make sure that your customer AWS account and IAM users and roles are correct and included in the policy, see Example AWS KMS key policy. Your policy might include other statements as well.
Copy the required Qlik Cloud code snippet below and add it to your key policy. For Qlik Cloud Government subscriptions, copy the Qlik Cloud Government code snippet.

Qlik Cloud code snippet


               
        {
            "Sid": "Enable Qlik's proxy roles to use the Customer's AWS KMS key to encrypt and decrypt data for the Qlik cloud tenant",
            "Effect": "Allow",
            "Principal": {        
                "AWS": [
                    "arn:aws:iam::338144066592:role/byok-encryption-proxy-role",
                    "arn:aws:iam::634246602378:role/byok-encryption-proxy-role",
                    "arn:aws:iam::338144066592:role/byok-automations-proxy-role",
                    "arn:aws:iam::634246602378:role/byok-automations-proxy-role"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:TenantId": [
                        "QLIK_TENANT_ID"
                    ]
                }
            }
        }

Qlik Cloud Government code snippet


                
        {
            "Sid": "Enable Qlik's proxy roles to use the Customer's AWS KMS key to encrypt and decrypt data for the Qlik cloud tenant",
            "Effect": "Allow",
            "Principal": {        
                "AWS": [
                    "arn:aws-us-gov:iam::014729015091:role/byok-encryption-proxy-role",
                    "arn:aws-us-gov:iam::014734359703:role/byok-encryption-proxy-role",
                    "arn:aws-us-gov:iam::014729015091:role/byok-automations-proxy-role",
                    "arn:aws-us-gov:iam::014734359703:role/byok-automations-proxy-role"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:TenantId": [
                        "QLIK_TENANT_ID"
                    ]
                }
            }
        }

In the EncryptionContext string, replace QLIK_TENANT_ID with your Qlik Cloud TenantID.

To find your Tenant ID, from the hub of your Qlik Cloud tenant, select your user profile, and then select About. Under Tenant ID, select and copy the ID string. Do not use the Display name or Alias hostname in the Management Console under Settings > Tenant.

Save the key policy.

For more information about AWS KMS key policies, see Key policies in KMS.

Example AWS KMS key policy

The following example key policy includes the basic requirements for use with Qlik Cloud Customer Managed Keys.

The customer account and IAM users and roles who can administer and use the key.
The Qlik accounts and IAM roles that are permitted to use the key for cryptographic operations: Encrypt, Decrypt, and GenerateDataKey.
The Qlik accounts and Application Automation IAM roles that are permitted to use the key with Application Automation.
The encryption context that identifies your Qlik Cloud tenant identification number (TenantID).

The selected section (B, C, and D) in the policy example identifies the parameters required by Qlik Cloud Customer Managed Keys.

Example key policy — AWS KMS key policy example

KMS key ARN and alias ARN

The Amazon Resource Name (ARN) is a unique, fully qualified identifier for the KMS key. It includes the Encryption Context (TenantID), AWS account, Region, and key ID. The ARN is created when you create an AWS KMS key in the AWS Key Management Service. In Qlik Cloud, when you change the master key provider in the Management Console to use your AWS KMS key, you must provide the key ARN or the alias ARN to connect the Qlik encryption service to your AWS KMS key. See Changing the key provider in the tenant.

The ARN uses the format:

arn:<partition>:kms:<region>:<account-id>:key/<key-id>

The following is an example of a valid key ARN:

arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

The alias ARN uses the format:

arn:<partition>:kms:<region>:<account-id>:alias/<alias-name>

The following is an example of a valid alias ARN where CMK-Example-Alias is the alias name:

arn:aws:kms:us-east-1:111122223333:alias/CMK-Example-Alias

For more information about locating the key ARN or alias ARN for your KMS key, see Finding the key ID and key ARN or Finding the alias name and alias ARN.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!

Send feedback