Qlik Sense encrypts app (.QVF) and data (.QVD) files at time of write to disk. This means that changes to the encryption certificate is not reflected in encrypted files until next time the file is written to disk by the Qlik Sense Engine.
- QVF file is encrypted when successfully reloaded, either manually or through a reload task.
- QVD file is encrypted when it is successfully generated through a STORE command in a reload script.
Completely replacing encryption certificate requires that all encrypted files are re-written to disk with the new certificate. Any file that remains encrypted with old certificate, can only be opened by Qlik Sense Engine if the old certificate still remains in the certificate store.
If encryption certificate is not available in certificate store, the encrypted QVF or QVD file will not be possible to open by Qlik Sense Engine and any user access to the file will be denied.
Environment:
Qlik Sense Enterprise on Windows September 2019 and later
Resolution:
A successful key-encryption key (KEK) rotation requires that both the new and old certificate are available in certificate store until key change has been applied on all encrypted files.
- Import the new certificate to Windows certificate store on all Qlik Sense Engine nodes
- Configure Qlik Sense to use the new certificate for encryption
- Re-write all encrypted QVF an QVD files
- Save QVF files manually or run reload task
- Regenerate QVD files through STORE command in app reload
- Backup old encryption certificate (in case it is needed later)
- Remove old encryption certificate from Windows certificate store
- Validate that all encrypted files can be accessed
Related Content:
