10 Replies Latest reply: Feb 24, 2015 8:50 PM by Antonio Caria RSS

    How to protect sensitive data?

    Andreas Karlsson

      Hi folks,

      I'm building an app that holds sensitive data. No one except the end users should be able to view that data. Not the ones having access to the qvd or qvw files. Not me as the developer either. Then the qv-admins cannot be blamed if there is a leakage.

      So the source data will be encrypted with a key, stay encrypted within the qvd. Then I guess the data has to remain encrypted in the qvw (or should I use sectionaccess but then I will get access as the developer or?) and when the user opens the app there is an inputfield to put the key which should decrypt the data. I've seen examples with decrypt-macros. Am I approaching this correctly? Possible with an enterprise tool like Qlikview?

      /Andy

      Andy

        • Re: How to protect sensitive data?
          Ashfaq Mohammed

          Hi for Application point of view you can g with section access.

          But Qvd level encryption is not supported.

          Hope it helped.

          Regards

          ASHFAQ

            • Re: How to protect sensitive data?
              Colin Albert

              Any user who can get a copy of the QVD data can read it either through QV Personal Edition or via third party QVD tools. QVDs are not a secure way of holding data.

               

              Section access can restrict which users can view the data when using QlikView, but the developers will need access to the data to be able to develop and test the application.

               

              The folders & files where the QVD data is held must be secured using AD file permissions so that access is only granted to the QlikView service account and developers when required. The developer permissions can be removed , or the developer account disabled when development is not taking place


            • Re: How to protect sensitive data?
              jagan mohan rao appala

              Hi,

               

              I think you cannot encrypt and decrypt data from QVD.  You can restrict the access in Qlikview files with Section access.  You can maintain two environments one for development and other for production, usually developers work on development environment and Qlikview administrator have access to Prod environment.

               

              This way you can restrict, only Qlikview admin has full access to the files.

               

              Regards,

              Jagan.

              • Re: How to protect sensitive data?
                Gysbert Wassenaar

                No, that's not possible.

                  • Re: How to protect sensitive data?
                    Andreas Karlsson

                    Off course it is possible, everything is possible. You add a macro with

                    your favourite encryption algorithm, you can call the macro either from

                    script or from gui. If you don't know the answer, do not say it is

                    impossible.

                    I was just interesting in findings from people who have done this. Here is

                    an example

                    https://medium.com/@justin_skaggs/encryption-in-qlikview-54aedfba6f0e

                     

                    Me as a developer do not need the true data to develop but can use testdata.

                    The qlikview administration can access the files so that is why the data

                    must be worthless to them, encrypted. Just like storage of passwords on any

                    website.

                      • Re: How to protect sensitive data?
                        Gysbert Wassenaar

                        The developer has access to the load scripts where the encryption or decryption takes place. One of your requirements is that the developer has no access to the unencrypted data. Same for admins, but system admins will have access to the documents that contain the unencrypted data that are deployed on the qlikview server.

                        No one except the end users should be able to view that data.

                        That requirement cannot be met with Qlikview to the best of my knowledge.

                          • Re: How to protect sensitive data?
                            Andreas Karlsson

                            In all cases where encryption takes place the developers never have access

                            to the unencrypted data. Think of such a simple case as your password here

                            at qlik, no developer can read it out since you have the key to the

                            encryption. You can replace it but never retrieve it in clear text

                             

                            In the scenario I think of the qlikview script fetches encrypted data which

                            only the end user knows the key to, stores the encrypted data in a qvd,

                            just as any data, then the qvw presents the encrypted data, just as any

                            data and the end-user can enter his key in an input variable and trig the

                            decrypt macro to get back the true data. I think that should be possible

                            and have to do a proof of concept

                              Cannot believe I'm the first one with that use case and Qlikview

                            • Re: How to protect sensitive data?
                              Antonio Caria

                              You can use Hidden Script.

                                • Re: How to protect sensitive data?
                                  Antonio Caria


                                  The best solution is :


                                  1) On QVW - Edit Module create decrypt function with CryptoJS.

                                   

                                  function decrypt(value) {

                                  if(null==value||''==value) return '';

                                  -----

                                  return decryptedData.toString(CryptoJS.enc.Utf8);

                                  }

                                   

                                  Protected  Edit Module with password on Document Properties.


                                  2) Create a QVD dynamic with java / C# / C++


                                  In java:

                                  private static byte[] encryptBytes(final String s) throws Exception {

                                  final Key key = new SecretKeySpec("KEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEY", "AES");

                                  final Cipher c = Cipher.getInstance("AES");

                                  c.init(Cipher.ENCRYPT_MODE, key);

                                  return c.doFinal(s.getBytes());

                                  }


                                  3) On Qlik - Edit Script


                                  SELECT decrypt(column)....

                                  from .... qvd


                                  Protected  Edit Script with password on Document Properties.


                                  Notes:


                                  * The null and empty column aren't encrypted.


                                  * The qvd generation use Real Column hashcode()  (java) to test repeated values on columns

                                  because Crypt generate different values for same input.


                                  * The speed decrease 10% or more depending number of columns encrypted.


                                  This process is tested for a QVD with more than 100 millions records.