Skip to main content
Product Release Webinar: Qlik Insider airing December 6! REGISTER TODAY!

How to enable Data Encryption In Qlik Sense Enterprise On Windows

100% helpful (1/1)
Showing results for 
Search instead for 
Did you mean: 

How to enable Data Encryption In Qlik Sense Enterprise On Windows

Last Update:

Aug 6, 2023 11:21:38 PM

Updated By:



Qlik Sense allows for Data Encryption for Qlik Sense Apps (QVF) and Data (QVD) Files.

This feature was originally introduced in September 2019 as a feature flag and fully implemented in the Management Console in November 2019.

This article includes instructions for both. 

Qlik Sense Engine can encrypt data by using a data encryption key (DEK), which is generated from a certificate based key encryption key (KEK). The DEK is unique to each encrypted file and is stored along side the encrypted data (inside the QVF and QVD files) in an encrypted format using RSA. The industry standard AES-256 GCM is used as the data encryption algorithm. Decryption requires access to the same certificate as used during encryption, which mean that the KEK certifcate thumbprint in certificate store must match the thumbprint used for the DEK generation. 


For Qlik Sense Enterprise on Windows November 2019 and later

Data encryption can be enabled in the Service Cluster configuration of the Qlik Sense Management Console. See the Online Help at Qlik Sense Enterprise on Windows > Administer Qlik Sense Enterprise on Windows > Managing a Qlik Sense Enterprise on Windows site > QMC resources overview > Service cluster > Data encryption

data encryption in service cluster.png


Detailed Instructions with Example

This is a simple example of how to explore data encryption in Qlik Sense Enterprise on Windows.  

  1. Create a new sample app, like the attached ascii-table.qvf
    1. Add a simple script to generate an ASCII table
       if(RecNo()>=65 and RecNo()<=90,RecNo()-64) as Num,
       Chr(RecNo()) as AsciiAlpha,
       RecNo() as AsciiNum
      autogenerate 255
       Where (RecNo()>=32 and RecNo()<=126) or RecNo()>=160 ;
    2. Create a folder connection to a folder where the QVD can be written
    3. Generate QVD of a data table. Note, change the lib:// reference to match a valid data connection
      STORE ASCII INTO [lib://MyData (domain_administrator)/ascii.qvd] (QVD);
  2. Reload the app
  3. Copy the app and qvd files to allow comparison after enabling encryption 
    1. Default app location: C:\ProgramData\Qlik\Sense\Apps 
    2. The QVD location is per app's folder data connection path
  4. Create a certificate to test, following Encryption Certificates.
    1. Run Powershell as Qlik Sense service account or login to Windows as Qlik Sense service account
      Note, this is to make the generated cert available to service account.  
      run as a different user.png
    2. Generate a self-signed certificate to use as an encryption key

      Windows Server 2016
      New-SelfSignedCertificate -Subject "QlikSenseDataEncrytion" `
                                -KeyAlgorithm RSA `
                                -KeyLength 4096 `
                                -Provider "Microsoft Software Key Storage Provider" `
                                -KeyExportPolicy ExportableEncrypted `
                                -CertStoreLocation "cert:\CurrentUser\My"

      Windows Server 2012 R2
      New-SelfSignedCertificate -DnsName "QlikSenseDataEncrytion" `
                                -CertStoreLocation "cert:\CurrentUser\My"
    3. Validate that cert is available 
  5. Get the cert thumbprint from generation result. This thumbprint can be used as key-encryption key (KEK) by Qlik Sense. 

    get thumbprint power shell.png

     When copying the certificate thumbprint, an invisible character may be added at the beginning of the certificate thumbprint. Verify the thumbprint before executing the command in PowerShell:


  6. Enable encryption in Service Cluster settings per Data Encryption

    data encryption enabled.png

  7. Restart Qlik Sense Engine service
  8. Reload app to generate data encryption keys (DEK) for encrypted QVF and QVD file. 

Disable Encryption

Files remain encrypted after disabling encryption until next following app reload or QVD generation. 

  1. Disable encryption in QMC > Service Cluster
    1. Uncheck both encryption options
    2. Remove encryption key
      data encryption.png
  2. Restart Qlik Sense Engine Service on all nodes
  3. Complete full successful app reload cycle, including QVD generators
    1. All QVF files have been decrypted
    2. All QVD files have been decrypted

File Comparison

Compare the unencrypted and encrypted files to validate successful encryption

Qlik Sense app (.qvf) file is a binary file, which makes it harder to visually confirm the encryption effect.

Encrypted app files have multiple references to ciphertext, which in turn refers to secrets used for the encryption.

App file without encryption has no such references. The cypher text portion of QVF represents the data encryption key (DEK) used to encrypt the app data and bookmarks. 

file comparison 01.pngfile comparison 02.png


Encrypted data (.qvd) files has "Encryption Info" defined, which includes the data encryption (DEK) references.
Data part is also significantly different, even though both version have exactly the same static data content. 

file comparison 03.png

Encryption Scope

  • Encryption only applies at rest, meaning when stored on disk.  
  • Data in memory is not encrypted
  • Exported app (QVF) file is not encrypted
  • Encrypted file (from apps storage folder) can not be imported in an other Qlik Sense instance.
    The import fails as the importing server is unable to parse the encrypted file. 

    failed to import app please check log file.png



For Qlik Sense Enterprise on Windows September 2019

Data encryption feature was soft-launched in September 2019 release. This means that the feature and functionality were included in the release, but are not enabled and exposed by default in the product. 

  1. Edit Capability Service configuration. Default location; C:\Program Files\Qlik\Sense\CapabilityService\capabilities.json
  2. Add DATA_ENCRYPTION flag and set it to enabled.
    "contentHash": "10159d595f5fa3bd250e90f30b1b7bf3",
    "originalClassName": "FeatureToggle",
    "flag": "DATA_ENCRYPTION",
    "enabled": true
  3. Restart Qlik Sense Service Dispatcher and Qlik Sense Engine services 
  4. Repeat steps 1-3 on each node in Qlik Sense deployment



Related Content:

Qlik Sense on Windows: Data Encryption Key Rotation
Using Server Certificates for Data Encryption

Labels (1)
Partner - Creator III
Partner - Creator III

Hi @ToniKautto ,

thank you very much for this article.

Let's imagine, that in my environement, i have 2 Qlik Sense servers. If i enable Data Encryption on both of them, using the same certificate, a QVD file generated by one of the Qlik Sense Servers could be read by the other one ?

Thanks a lot 



@jchoucq correct, encrypted QVDs can only be decrypted with the same certificate that was used when encrypting the data. 

Contributor III
Contributor III

In the example provided, it appears you are using the Current User \ Personal cert store; in a production environment, I would think the cert store utilized to be the Current Machine\Personal (especially if the user doesn't exist on each machine...); correct?

Digital Support
Digital Support

Hello @rbpeterson2 

Certificates should be stored in current users as per Encryption Certificates

Quote: Encryption keys are best managed through certificates. The certificates must be stored in a certificate store for the user running the Engine service, see User accounts.

All the best,

Partner - Contributor III
Partner - Contributor III

Is it possible to encrypt the CSV file which is created using store command ?

Version history
Last update:
‎2023-08-07 02:21 AM
Updated by: