Qlik Sense QVD / QVF Encryption (Qlik Sense Enterprise on Windows)

From Qlik Sense Enterprise on Windows September 2019 (the option became configurable via the QMC in November 2019), users have the option of enabling one or both of QVD and QVF encryption – adding at-rest protection from people who shouldn’t have access to your valuable files. This is enabled server-wide and applies to all content on the environment.

The big issue that I see is that any security office is going to require that any and all encryption is enabled – without understanding the issues this could cause.

Here’s the new DATA ENCRYPTION section under Service cluster in the QMC

What can I set in the QMC?

Although the Qlik Help site offers plenty of detail, it’s surprising that there’s no validation on the encryption key you enter in the QMC itself – you can enter anything you want and apply it, without Qlik Sense verifying that a corresponding certificate exists.

Let’s say, in my wisdom, I do not read the help pages, and enable QVD encryption with an encryption key of say, 80090016. What happens?

Rather than a certificate thumbprint, I’ll enter my own “key”

Well, everything looks OK, until you actually try to store a QVD and you get the message “Failed to open key : 80090016”.

As the person who configured said key, I’d eventually work out that it’s because I didn’t put in a certificate thumbprint from the system (it would be better if Qlik Sense actually validated this).

The actual process is to create or import a certificate and add the correct thumbprint:

New-SelfSignedCertificate -Subject QlikSenseEncryption -KeyAlgorithm RSA -KeyLength 4096 -Provider "Microsoft Software Key Storage Provider" -KeyExportPolicy ExportableEncrypted -CertStoreLocation "cert:\CurrentUser\My"
The resulting thumbprint can be bussed into the QMC

Do QVDs look any different?

We know that QVDs are formed of an XML header containing metadata related to the QVD and it’s content, followed by the data itself in a proprietary Qlik format.

Once encrypted, a QVD retains the same XML header plus one additional node – EncryptionInfo. You can inspect the header in a text editor such as notepad – but if you try to use the Qlik Sense load data or load editor to open the file in XML format you’ll get the error listed above.

Example EncryptionInfo from a QVD generated on a test server running Qlik Sense (Qlik Sense Enterprise on Windows, November 2019) with QVD encryption enabled:

<EncryptionInfo>{&quot;ciphertext&quot;:&quot;CG9pOkmubU1+3pYtB4ui4/mwAR6y7C5SCm8HV112JKvh432LxjVAgZosXIoL+sMLf34uDgdzv7viSLeRm4ny3gAMGMTJin3HdUnx5pwfQ6Ynp+OjgIW2isVo0h1H4zllzLtqTBT9cIw736dfCDCvASyb3f5/ELfPIegaRYmThAHIrsgFQXV3VW3JRw7009Nu19oSwDqEGmt2puTPh6FJD7DaTMiQQo+nHWD3MjNQKw9Be0cbTi2/agtO0J8dsrHgP+N5C45V8W/gLXWhAQEBm0pNQssM08YK4fnoFX+VqEVpL5NMjiw9QzZDfwqhi45Cb7bECKJXKyPxPU6wC+fCtelASzKzaJTaSrWHs7OCqiE6dKhcQBHh9Y1eBYK+1Q2l44UJmcDhYVpzjDg84lVJvIwSNgayMgJGNWwC9AUo0+JdUHr0dAHYDkEmUgsXEkBAIvVgsuAdHiO+JWeJZrxorbr/mMyhDikKULO7KNlA+XoTxlxcomwEt4oGsNEU2jVMF67f2TEQ7eE3fUAs3f4MpVoYwgxgwHuDzDrOps+ChYInen8hJmzi+mUU3sAt6u+81/XhIXUuO8sQ1Xbp7upS7x97FXxgMeZxS4FSIMPI7ckR0Wri4q8xPmnN0BzgGRUaTcHxOfTTmasUkFHZMbhAZcPKUjW1AjGFNcjRwSuhy4M=&quot;,&quot;thumbprint&quot;:&quot;7FD06E9A238256F70EECA4BEBD0652AB82F4848F&quot;,&quot;store&quot;:&quot;MY&quot;}</EncryptionInfo>

This appears to contain the following information:

  • cipertext – presumably used for encryption/decryption on another system against the cert
  • thumbprint – a hexadecimal key that uniquely identified a certificate
  • store – which certificate store the cert is located in

What happens if I try to open an encrypted QVD on a system without the encryption certificate?

You get a rather ungraceful “Cannot open the following file: ‘{0}’.” error.

Enter the cryptic “Cannot open the following file: ‘{0}’. Check to confirm that the file is available and reload the script.”

Note that to read encrypted QVDs on a system, you just need to import the correct certificate onto the Qlik Sense server – you do not need to enable QVD encryption on the QMC unless you wish to write encrypted QVDs.

There are a few topics I’ll look to follow up on:

  • LOAD / STORE performance
  • File size impact
  • QVD migration pains (to QlikView, to Qlik Sense environments with many certs)
  • QVF performance
  • QVF import / export

One Reply to “Qlik Sense QVD / QVF Encryption (Qlik Sense Enterprise on Windows)”

Leave a Reply

Your email address will not be published. Required fields are marked *