Data encryption
You can encrypt sensitive data in QVF and QVD files with customer supplied key pairs which allows you to control who gets access to your data. The encryption keys are managed through certificates, that must be stored in a certificate store for the user running the Engine service.
The encryption is configured in the Qlik Management Console (QMC), where encryption is enabled and the certificate thumbprint is added. Data encryption is not enabled by default.
The engine reads and then uses the thumbprint to get the key from the Windows CNG key store. The engine then generates a new data encryption key (DEK) which is used to encrypt the data.
QVF encryption
The following is encrypted:
- data (tables and fields)
- bookmarks
The following is not encrypted:
- objects, for example sheets and stories
- static content, such as images
QVD encryption
The following is encrypted:
- Data (tables and fields)
The QVD header is not encrypted. Encryption parameters are stored in the QVD header as extra meta-data.
Older versions of Qlik Sense and QlikView returns an error when reading encrypted QVDs files.
Encryption certificates
Encryption keys are best managed through certificates. The certificates must be stored in a certificate store for the user running the Engine service, see User accounts.
The encryption certificate functions as a shell around the encryption key. The key can be fetched even if the certificate has expired, and therefore there is no need to renew an expired encryption certificate.
Remember to keep the certificate containing the old key on the server until all QVFs and QVDs have been saved with the new key.
Encryption keys
The encryption solution uses two types of keys:
- Data encryption keys
- Key encryption keys
Data encryption keys
Data encryption keys (DEK) are auto-generated keys for AES-256 encryption of the data. A new key is generated for each object that is encrypted.
Key encryption keys
Key encryption keys (KEK) are private and public key pair for secure, asymmetric encryption of the data encryption keys. The public key is used to encrypt the data and the private key is used to decrypt the data encrypted by the public key.
The key used for key encryption is specified in the Qlik Management Console (QMC) Data encryption section of the Service cluster resource, see Service cluster.
It is stored in a Microsoft Cryptography Next Generation (CNG) Key Storage Provider and it is contained in a certificate stored in a Windows Certificate Store.
For details of how to enable and manage encryption certificates, see Encryption certificates.