Qlik Sense allows for Data Encryption for Qlik Sense Apps (QVF) and Data (QVD) Files.
This feature was originally introduced in September 2019 as a feature flag and fully implemented in the Management Console in November 2019.
This article includes instructions for both.
Qlik Sense Engine can encrypt data by using a data encryption key (DEK), which is generated from a certificate based key encryption key (KEK). The DEK is unique to each encrypted file and is stored along side the encrypted data (inside the QVF and QVD files) in an encrypted format using RSA. The industry standard AES-256 GCM is used as the data encryption algorithm. Decryption requires access to the same certificate as used during encryption, which mean that the KEK certifcate thumbprint in certificate store must match the thumbprint used for the DEK generation.
For Qlik Sense Enterprise on Windows November 2019 and later
Data encryption can be enabled in the Service Cluster configuration of the Qlik Sense Management Console. See the Online Help at Qlik Sense Enterprise on Windows > Administer Qlik Sense Enterprise on Windows > Managing a Qlik Sense Enterprise on Windows site > QMC resources overview > Service cluster > Data encryption
Detailed Instructions with Example
This is a simple example of how to explore data encryption in Qlik Sense Enterprise on Windows.
Create a new sample app, like the attached ascii-table.qvf
Add a simple script to generate an ASCII table
if(RecNo()>=65 and RecNo()<=90,RecNo()-64) as Num,
Chr(RecNo()) as AsciiAlpha,
RecNo() as AsciiNum
Where (RecNo()>=32 and RecNo()<=126) or RecNo()>=160 ;
Create a folder connection to a folder where the QVD can be written
Generate QVD of a data table. Note, change the lib:// reference to match a valid data connection
STORE ASCII INTO [lib://MyData (domain_administrator)/ascii.qvd] (QVD);
Reload the app
Copy the app and qvd files to allow comparison after enabling encryption
Reload app to generate data encryption keys (DEK) for encrypted QVF and QVD file.
Files remain encrypted after disabling encryption until next following app reload or QVD generation.
Disable encryption in QMC > Service Cluster
Uncheck both encryption options
Remove encryption key
Restart Qlik Sense Engine Service on all nodes
Complete full successful app reload cycle, including QVD generators
All QVF files have been decrypted
All QVD files have been decrypted
Compare the unencrypted and encrypted files to validate successful encryption
Qlik Sense app (.qvf) file is a binary file, which makes it harder to visually confirm the encryption effect.
Encrypted app files have multiple references to ciphertext, which in turn refers to secrets used for the encryption.
App file without encryption has no such references. The cypher text portion of QVF represents the data encryption key (DEK) used to encrypt the app data and bookmarks.
Encrypted data (.qvd) files has "Encryption Info" defined, which includes the data encryption (DEK) references. Data part is also significantly different, even though both version have exactly the same static data content.
Encryption only applies at rest, meaning when stored on disk.
Data in memory is not encrypted
Exported app (QVF) file is not encrypted
Encrypted file (from apps storage folder) can not be imported in an other Qlik Sense instance. The import fails as the importing server is unable to parse the encrypted file.
For Qlik Sense Enterprise on Windows September 2019
Data encryption feature was soft-launched in September 2019 release. This means that the feature and functionality were included in the release, but are not enabled and exposed by default in the product.
Edit Capability Service configuration. Default location; C:\Program Files\Qlik\Sense\CapabilityService\capabilities.json