Aug 6, 2023 11:21:38 PM
Qlik Sense allows for Data Encryption for Qlik Sense Apps (QVF) and Data (QVD) Files.
This feature was originally introduced in September 2019 as a feature flag and fully implemented in the Management Console in November 2019.
This article includes instructions for both.
Qlik Sense Engine can encrypt data by using a data encryption key (DEK), which is generated from a certificate based key encryption key (KEK). The DEK is unique to each encrypted file and is stored along side the encrypted data (inside the QVF and QVD files) in an encrypted format using RSA. The industry standard AES-256 GCM is used as the data encryption algorithm. Decryption requires access to the same certificate as used during encryption, which mean that the KEK certifcate thumbprint in certificate store must match the thumbprint used for the DEK generation.
For Qlik Sense Enterprise on Windows November 2019 and later
Data encryption can be enabled in the Service Cluster configuration of the Qlik Sense Management Console. See the Online Help at Qlik Sense Enterprise on Windows > Administer Qlik Sense Enterprise on Windows > Managing a Qlik Sense Enterprise on Windows site > QMC resources overview > Service cluster > Data encryption
Detailed Instructions with Example
This is a simple example of how to explore data encryption in Qlik Sense Enterprise on Windows.
- Create a new sample app, like the attached ascii-table.qvf
- Add a simple script to generate an ASCII table
ASCII: Load if(RecNo()>=65 and RecNo()<=90,RecNo()-64) as Num, Chr(RecNo()) as AsciiAlpha, RecNo() as AsciiNum autogenerate 255 Where (RecNo()>=32 and RecNo()<=126) or RecNo()>=160 ;
- Create a folder connection to a folder where the QVD can be written
- Generate QVD of a data table. Note, change the lib:// reference to match a valid data connection
STORE ASCII INTO [lib://MyData (domain_administrator)/ascii.qvd] (QVD);
- Add a simple script to generate an ASCII table
- Reload the app
- Copy the app and qvd files to allow comparison after enabling encryption
- Default app location: C:\ProgramData\Qlik\Sense\Apps
- The QVD location is per app's folder data connection path
- Create a certificate to test, following Encryption Certificates.
- Run Powershell as Qlik Sense service account or login to Windows as Qlik Sense service account
Note, this is to make the generated cert available to service account. - Generate a self-signed certificate to use as an encryption key
Windows Server 2016
New-SelfSignedCertificate -Subject "QlikSenseDataEncrytion" ` -KeyAlgorithm RSA ` -KeyLength 4096 ` -Provider "Microsoft Software Key Storage Provider" ` -KeyExportPolicy ExportableEncrypted ` -CertStoreLocation "cert:\CurrentUser\My"
Windows Server 2012 R2New-SelfSignedCertificate -DnsName "QlikSenseDataEncrytion" ` -CertStoreLocation "cert:\CurrentUser\My" - Validate that cert is available
- Run Powershell as Qlik Sense service account or login to Windows as Qlik Sense service account
- Get the cert thumbprint from generation result. This thumbprint can be used as key-encryption key (KEK) by Qlik Sense.
Note: When copying the certificate thumbprint, an invisible character may be added at the beginning of the certificate thumbprint. Verify the thumbprint before executing the command in PowerShell: - Enable encryption in Service Cluster settings per Data Encryption
- Restart Qlik Sense Engine service
- Reload app to generate data encryption keys (DEK) for encrypted QVF and QVD file.
Disable Encryption
Files remain encrypted after disabling encryption until next following app reload or QVD generation.
- Disable encryption in QMC > Service Cluster
- Uncheck both encryption options
- Remove encryption key
- Restart Qlik Sense Engine Service on all nodes
- Complete full successful app reload cycle, including QVD generators
- All QVF files have been decrypted
- All QVD files have been decrypted
File Comparison
Compare the unencrypted and encrypted files to validate successful encryption
Qlik Sense app (.qvf) file is a binary file, which makes it harder to visually confirm the encryption effect.
Encrypted app files have multiple references to ciphertext, which in turn refers to secrets used for the encryption.
App file without encryption has no such references. The cypher text portion of QVF represents the data encryption key (DEK) used to encrypt the app data and bookmarks.
Encrypted data (.qvd) files has "Encryption Info" defined, which includes the data encryption (DEK) references.
Data part is also significantly different, even though both version have exactly the same static data content.
Encryption Scope
- Encryption only applies at rest, meaning when stored on disk.
- Data in memory is not encrypted
- Exported app (QVF) file is not encrypted
- Encrypted file (from apps storage folder) can not be imported in an other Qlik Sense instance.
The import fails as the importing server is unable to parse the encrypted file.
For Qlik Sense Enterprise on Windows September 2019
Data encryption feature was soft-launched in September 2019 release. This means that the feature and functionality were included in the release, but are not enabled and exposed by default in the product.
- Edit Capability Service configuration. Default location; C:\Program Files\Qlik\Sense\CapabilityService\capabilities.json
- Add DATA_ENCRYPTION flag and set it to enabled.
{ "contentHash": "10159d595f5fa3bd250e90f30b1b7bf3", "originalClassName": "FeatureToggle", "flag": "DATA_ENCRYPTION", "enabled": true } - Restart Qlik Sense Service Dispatcher and Qlik Sense Engine services
- Repeat steps 1-3 on each node in Qlik Sense deployment
Related Content:
Qlik Sense on Windows: Data Encryption Key Rotation
Using Server Certificates for Data Encryption
