Do not input private or sensitive data. View Qlik Privacy & Cookie Policy.
Skip to main content

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2026! Turn data into bold moves, April 13 -15: Learn More!

How to enable Data Encryption In Qlik Sense Enterprise On Windows

100% helpful (1/1)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
ToniKautto
Employee
Employee

How to enable Data Encryption In Qlik Sense Enterprise On Windows

Last Update:

Aug 28, 2024 3:48:58 AM

Updated By:

Sonja_Bauernfeind

Created date:

Nov 7, 2019 10:11:54 PM

Attachments
Sample-Data-Files.zip
ascii-table.qvf

Qlik Sense allows for Data Encryption for Qlik Sense Apps (QVF) and Data (QVD) Files.

Qlik Sense Engine can encrypt data by using a data encryption key (DEK), which is generated from a certificate-based key encryption key (KEK). The DEK is unique to each encrypted file and is stored alongside the encrypted data (inside the QVF and QVD files) in an encrypted format using RSA. The industry standard AES-256 GCM is used as the data encryption algorithm. Decryption requires access to the same certificate as used during encryption, which mean that the KEK certificate thumbprint in the certificate store must match the thumbprint used for the DEK generation. 

Instructions

Data encryption can be enabled in the Service Cluster configuration of the Qlik Sense Management Console. See the Online Help at Qlik Sense Enterprise on Windows > Administer Qlik Sense Enterprise on Windows > Managing a Qlik Sense Enterprise on Windows site > QMC resources overview > Service cluster > Data encryption

data encryption in service cluster.png

 

Detailed Instructions with Example

This is a simple example of how to explore data encryption in Qlik Sense Enterprise on Windows.  

  1. Create a new sample app, like the attached ascii-table.qvf
    1. Add a simple script to generate an ASCII table 
      ASCII:
Load
 if(RecNo()>=65 and RecNo()<=90,RecNo()-64) as Num,
 Chr(RecNo()) as AsciiAlpha,
 RecNo() as AsciiNum
autogenerate 255
 Where (RecNo()>=32 and RecNo()<=126) or RecNo()>=160 ;
    2. Create a folder connection to a folder where the QVD can be written
    3. Generate QVD of a data table. Note, change the lib:// reference to match a valid data connection 
      STORE ASCII INTO [lib://MyData (domain_administrator)/ascii.qvd] (QVD);
  2. Reload the app
  3. Copy the app and qvd files to allow comparison after enabling encryption 
    1. Default app location: C:\ProgramData\Qlik\Sense\Apps 
    2. The QVD location is per the app's folder data connection path
  4. Create a certificate to test, following Encryption Certificates.
    1. Run Powershell as the Qlik Sense service account or log in to Windows as the Qlik Sense service account.

      Doing this with the correct account is crucial to make the generated certificate available to the service account.
      run as a different user.png

    2. Generate a self-signed certificate to use as an encryption key

      Windows Server 2016

       
      New-SelfSignedCertificate -Subject "QlikSenseDataEncrytion" `
                          -KeyAlgorithm RSA `
                          -KeyLength 4096 `
                          -Provider "Microsoft Software Key Storage Provider" `
                          -KeyExportPolicy ExportableEncrypted `
                          -CertStoreLocation "cert:\CurrentUser\My"

      Windows Server 2012 R2

       
      New-SelfSignedCertificate -DnsName "QlikSenseDataEncrytion" `
                          -CertStoreLocation "cert:\CurrentUser\My"
    3. Validate that cert is available 
  5. Get the cert thumbprint from generation result. This thumbprint can be used as key-encryption key (KEK) by Qlik Sense. 

    get thumbprint power shell.png

    Note:     When copying the certificate thumbprint, an invisible character may be added at the beginning of the certificate thumbprint. Verify the thumbprint before executing the command in PowerShell:

    Encryption_issue.png

  6. Enable encryption in Service Cluster settings per Data Encryption

    data encryption enabled.png

  7. Restart Qlik Sense Engine service
  8. Reload the app to generate data encryption keys (DEK) for encrypted QVF and QVD files. 

Disable Encryption

Files remain encrypted after disabling encryption until the next following app reload or QVD generation. 

  1. Disable encryption in QMC > Service Cluster
    1. Uncheck both encryption options
    2. Remove encryption key
      data encryption.png
  2. Restart Qlik Sense Engine Service on all nodes
  3. Complete a full successful app reload cycle, including QVD generators
    1. All QVF files have been decrypted
    2. All QVD files have been decrypted

File Comparison

Compare the unencrypted and encrypted files to validate successful encryption

Qlik Sense app (.qvf) file is a binary file, which makes it harder to visually confirm the encryption effect.

Encrypted app files have multiple references to ciphertext, which in turn refers to secrets used for the encryption.

App file without encryption has no such references. The cypher text portion of QVF represents the data encryption key (DEK) used to encrypt the app data and bookmarks. 

file comparison 01.pngfile comparison 02.png

 

Encrypted data (.qvd) files has "Encryption Info" defined, which includes the data encryption (DEK) references.
Data part is also significantly different, even though both version have exactly the same static data content. 

file comparison 03.png

Encryption Scope

  • Encryption only applies at rest, meaning when stored on disk.  
  • Data in memory is not encrypted
  • Exported app (QVF) file is not encrypted
  • Encrypted file (from apps storage folder) can not be imported in an other Qlik Sense instance.
    The import fails as the importing server is unable to parse the encrypted file. 

    failed to import app please check log file.png

 

 

 

Related Content:

Qlik Sense on Windows: Data Encryption Key Rotation
Using Server Certificates for Data Encryption

Labels (1)
Labels:
13,808 Views
Was this article helpful? Yes No
Comments
ali_hijazi
Partner - Master II
Partner - Master II
‎2025-07-02 08:30 AM

@ToniKautto what do you mean by "a user needs access to the cert used for encrypting the file" to decrypt it?

ali_hijazi
Partner - Master II
Partner - Master II
‎2025-07-02 09:10 AM

@ToniKautto so as long as the app is on the server where it was encrypted any developer is able to open it and work on it normally
but if this app is copied from where it is saved (folder location) and a user tries to import it to another server the import will fail

so I assume that encryption is not intended to prevent a group of user from working on the app on the server where it was encrypted

 

another question if this encrypted app was duplicated, will the duplicate copy be encrypted too?
if I publish the duplicated app and replace the encrypted one, what will happen?

ToniKautto
Employee
Employee
‎2025-07-02 11:44 AM

@ali_hijazi encryption in this case protects a file at rest. As you can see in the post and related help pages, the encryption is certificate-based, so if someone copies a file, they can not decrypt it without access to the same certificate. 

Encryption of a file is unrelated to authorization or user access to the product; these are two different concepts. 

As you can see in the documentation, encryption is enabled at the service cluster level; it affects all QVF and QVD files that are written in the deployment. A duplicate app is a new QVF; hence, it will be encrypted at creation. 

My suggestion is that you validate some of your use cases and concerns by following the post and the documentation. Enable encryption, and verify that files are encrypted in storage. Duplicate and publish apps, while verifying that encryption remains on he created, updates files. 

 

Version history
Last update:
‎2024-08-28 03:48 AM
Updated by:
Digital Support