How to enable Data Encryption In Qlik Sense Enterprise On Windows

ToniKautto · Aug 28, 2024 3:48:58 AM

Qlik Sense allows for Data Encryption for Qlik Sense Apps (QVF) and Data (QVD) Files.

Qlik Sense Engine can encrypt data by using a data encryption key (DEK), which is generated from a certificate-based key encryption key (KEK). The DEK is unique to each encrypted file and is stored alongside the encrypted data (inside the QVF and QVD files) in an encrypted format using RSA. The industry standard AES-256 GCM is used as the data encryption algorithm. Decryption requires access to the same certificate as used during encryption, which mean that the KEK certificate thumbprint in the certificate store must match the thumbprint used for the DEK generation.

Instructions

Data encryption can be enabled in the Service Cluster configuration of the Qlik Sense Management Console. See the Online Help at Qlik Sense Enterprise on Windows > Administer Qlik Sense Enterprise on Windows > Managing a Qlik Sense Enterprise on Windows site > QMC resources overview > Service cluster > Data encryption

data encryption in service cluster.png

Detailed Instructions with Example

This is a simple example of how to explore data encryption in Qlik Sense Enterprise on Windows.

Create a new sample app, like the attached ascii-table.qvf
1. Add a simple script to generate an ASCII table
```
ASCII:
Load
 if(RecNo()>=65 and RecNo()<=90,RecNo()-64) as Num,
 Chr(RecNo()) as AsciiAlpha,
 RecNo() as AsciiNum
autogenerate 255
 Where (RecNo()>=32 and RecNo()<=126) or RecNo()>=160 ;
```
2. Create a folder connection to a folder where the QVD can be written
3. Generate QVD of a data table. Note, change the lib:// reference to match a valid data connection
```
STORE ASCII INTO [lib://MyData (domain_administrator)/ascii.qvd] (QVD);
```
Reload the app
Copy the app and qvd files to allow comparison after enabling encryption
1. Default app location: C:\ProgramData\Qlik\Sense\Apps
2. The QVD location is per the app's folder data connection path

Create a certificate to test, following Encryption Certificates.

Run Powershell as the Qlik Sense service account or log in to Windows as the Qlik Sense service account.

Doing this with the correct account is crucial to make the generated certificate available to the service account.

Generate a self-signed certificate to use as an encryption key

Windows Server 2016

New-SelfSignedCertificate -Subject "QlikSenseDataEncrytion" `
                          -KeyAlgorithm RSA `
                          -KeyLength 4096 `
                          -Provider "Microsoft Software Key Storage Provider" `
                          -KeyExportPolicy ExportableEncrypted `
                          -CertStoreLocation "cert:\CurrentUser\My"

Windows Server 2012 R2

New-SelfSignedCertificate -DnsName "QlikSenseDataEncrytion" `
                          -CertStoreLocation "cert:\CurrentUser\My"

Validate that cert is available

Get the cert thumbprint from generation result. This thumbprint can be used as key-encryption key (KEK) by Qlik Sense.

Note: When copying the certificate thumbprint, an invisible character may be added at the beginning of the certificate thumbprint. Verify the thumbprint before executing the command in PowerShell:
Enable encryption in Service Cluster settings per Data Encryption
Restart Qlik Sense Engine service
Reload the app to generate data encryption keys (DEK) for encrypted QVF and QVD files.

Disable Encryption

Files remain encrypted after disabling encryption until the next following app reload or QVD generation.

Disable encryption in QMC > Service Cluster
1. Uncheck both encryption options
2. Remove encryption key
Restart Qlik Sense Engine Service on all nodes
Complete a full successful app reload cycle, including QVD generators
1. All QVF files have been decrypted
2. All QVD files have been decrypted

File Comparison

Compare the unencrypted and encrypted files to validate successful encryption

Qlik Sense app (.qvf) file is a binary file, which makes it harder to visually confirm the encryption effect.

Encrypted app files have multiple references to ciphertext, which in turn refers to secrets used for the encryption.

App file without encryption has no such references. The cypher text portion of QVF represents the data encryption key (DEK) used to encrypt the app data and bookmarks.

file comparison 01.png file comparison 02.png

Encrypted data (.qvd) files has "Encryption Info" defined, which includes the data encryption (DEK) references.
Data part is also significantly different, even though both version have exactly the same static data content.

file comparison 03.png

Encryption Scope

Encryption only applies at rest, meaning when stored on disk.
Data in memory is not encrypted
Exported app (QVF) file is not encrypted
Encrypted file (from apps storage folder) can not be imported in an other Qlik Sense instance.
The import fails as the importing server is unable to parse the encrypted file.

Related Content:

Qlik Sense on Windows: Data Encryption Key Rotation
Using Server Certificates for Data Encryption

jchoucq · ‎2023-05-11

Hi @ToniKautto ,

thank you very much for this article.

Let's imagine, that in my environement, i have 2 Qlik Sense servers. If i enable Data Encryption on both of them, using the same certificate, a QVD file generated by one of the Qlik Sense Servers could be read by the other one ?

Thanks a lot

Johann

ToniKautto · ‎2023-05-12

@jchoucq correct, encrypted QVDs can only be decrypted with the same certificate that was used when encrypting the data.

rbpeterson2 · ‎2023-08-04

In the example provided, it appears you are using the Current User \ Personal cert store; in a production environment, I would think the cert store utilized to be the Current Machine\Personal (especially if the user doesn't exist on each machine...); correct?

Sonja_Bauernfeind · ‎2023-08-07

Hello @rbpeterson2

Certificates should be stored in current users as per Encryption Certificates.

Quote: Encryption keys are best managed through certificates. The certificates must be stored in a certificate store for the user running the Engine service, see User accounts.

All the best,
Sonja

krishnakumars7 · ‎2023-09-25

Is it possible to encrypt the CSV file which is created using store command ?

karthiksrqv · ‎2024-10-22

Hi @Sonja_Bauernfeind ,

We have a few questions:

1. Are the commands to generate the certificates in Windows 2019 Server any different? If yes, can you please provide the commands.

2. What is the known behaviour with large QVF apps and QVDs if encryption is enabled. Are there signficant performance hits in terms of storing qvds, reading from qvds, accessing apps - when the qvds and qvfs are multiple GBs in size.

3. Also, is there any known issues if it enabled in apps/qvds that store local language data?

4. What is the recommended (if any) certificate backup strategy recommended by Qlik to its customers?

5. What are the alternatives to using a self-signed certificate? what parameters should such certificates adhere to to be used for encryption?

Sonja_Bauernfeind · ‎2024-10-28

Hello @karthiksrqv

Please post these queries in the appropriate forum (Deployment and Management), where our active support agents and your Qlik peers are more readily able to assist you. The queries you've sent here go beyond the scope of what we can assist you in an article with.

All the best,
Sonja

How to enable Data Encryption In Qlik Sense Enterprise On Windows