Skip to main content

Data encryption

Sensitive data in QVF and QVD files is encrypted with customer supplied key pairs which allows you to control who gets access to your data. The encryption keys are managed through certificates, that must be stored in a certificate store for the user running the Engine service.

The encryption is configured in the Qlik Management Console (QMC), where encryption is enabled and the certificate thumbprint is added. Data encryption is not enabled by default.

The engine reads and then uses the thumbprint to get the key from the Windows CNG key store. The engine then generates a new data encryption key (DEK) which is used to encrypt the data.

Note: A DEK is never reused which ensures that if one file is compromised, the encryption is still valid for all other files.

QVF encryption

The following is encrypted:

  • data (tables and fields)
  • bookmarks

The following is not encrypted:

  • objects, for example sheets and stories
  • static content, such as images
Note: You must reload an existing QVF for it to be encrypted after QVF encryption has been enabled in the QMC.

QVD encryption

The following is encrypted:

  • Data (tables and fields)

The QVD header is not encrypted. Encryption parameters are stored in the QVD header as extra meta-data.

Note: You must reload an existing QVD for it to be encrypted after QVD encryption has been enabled in the QMC.

Older versions of Qlik Sense and QlikView returns an error when reading encrypted QVDs files.

Encryption certificates

Encryption keys are best managed through certificates. The certificates must be stored in a certificate store for the user running the Engine service, see User accounts.

The encryption certificate functions as a shell around the encryption key. The key can be fetched even if the certificate has expired, and therefore there is no need to renew an expired encryption certificate.

Warning: Make sure to back up the certificate. You may not be able to open your encrypted app if the certificate is lost. It is your responsibility to keep safe the certificate backup for as long as it is needed.
Note: If your organization has a key rotation policy, you may need to update the thumbprint definition when the key is changed.

Remember to keep the certificate containing the old key on the server until all QVFs and QVDs have been saved with the new key.

Encryption keys

The encryption solution uses two types of keys:

  • Data encryption keys
  • Key encryption keys

Data encryption keys

Data encryption keys (DEK) are auto-generated keys for AES-256 encryption of the data. A new key is generated for each object that is encrypted.

Key encryption keys

Key encryption keys (KEK) are private and public key pair for secure, asymmetric encryption of the data encryption keys. The public key is used to encrypt the data and the private key is used to decrypt the data encrypted by the public key.

Note: Only keys using the RSA algorithm are supported.

The key used for key encryption is specified in the Qlik Management Console (QMC) Data encryption section of the Service cluster resource, see Service cluster.

It is stored in a Microsoft Cryptography Next Generation (CNG) Key Storage Provider and it is contained in a certificate stored in a Windows Certificate Store.

For details of how to enable and manage encryption certificates, see Encryption certificates.