How does Azure Key Vault
Azure Key Vault
Tableau Server has three key management options that you can use to enable encryption at rest. Two of these require the Server Management add-on, while a local option is available on all installations of Tableau Server.
Starting with version 2019.3, Tableau Server has the following key management options:
Starting with version 2021.1, Tableau Server has an additional key management option:
- An Azure-based KMS that is used as part of the Server Management add-on. This is described below.
Azure Key Vault for encryption at rest
Azure Key Vault is available as part of the server management add-on for Tableau Server starting with version 2021.1.0. For more information, see About Tableau Server Management Add-on.
If your company provides data extract encryption at rest, you can optionally configure Tableau Server to use Azure Key Vault as the KMS for extract encryption. To activate Azure Key Vault, you need to deploy Tableau Server on Azure. In the Azure scenario, Tableau Server uses Azure Key Vault to encrypt the Root Master Key (RMK) for all encrypted extracts. Even when configured for Azure Key Vault, the Tableau Server native Java keystore and local KMS are still used to securely store secrets on the Tableau Server. Azure Key Vault is only used to encrypt the root master key for encrypted extracts.
The key hierarchy when configuring Tableau Server with Azure Key Vault
Configure Azure Key Vault for encrypted extracts from Tableau Server
To use Azure Key Vault to encrypt the root key in the Tableau Server KMS hierarchy, you must configure Tableau Server as described in this section.
Before you begin, make sure you meet the following requirements:
- Tableau Server must be deployed in Azure.
- The Tableau Server must be configured with a server management add-on license. See About Tableau Server Management Add-on.
- You must have administrative control of the key vault in Azure where the key is located.
Step 1: Create a Key Vault and Key for Tableau Server on Azure
The following operations are performed in the Azure Key Vault service. References to this can be found in the Azure documentation.
- Create the key vault that you want to use for Tableau Server. See the Azure topic Create a Key Vault (link opens in a new window).
- Create a key in the vault. For more information, see the Azure topic, Managing Keys and Secrets (link opens in a new window).
The key must be asymmetric and RSA type, but it can be any size (Tableau Server doesn't care about key size). We recommend that you adhere to the Principle of Least Privilege (PoLP) to ensure maximum security. Tableau requires the GET, UNWRAP KEY, and WRAP KEY commands, and it is recommended that you use these commands for the least amount of privilege. Assign the access policy to the VM running Tableau Server.
In a multi-node deployment of Tableau Server, the access policy must be assigned to all nodes of the server cluster.
Step 2: Collect Azure configuration parameters
You need the key vault name and the key name from Azure.
Step 3: Configure Tableau Server for Azure Key Vault
Run the following command on Tableau Server. This command will restart the server:
The options and copy a direct string from your Azure key vault.
For example, if your Azure Key Vault is named and your key is, the command is as follows:
Step 4: Activate encryption in sleep mode
See Extracting Encryption at Rest.
Step 5: Validate the installation
Run the following command:
The following information can be returned:
- Status: OK (indicates that the key safe is accessible via the controller node):
- Mode: Azure Key Vault
- Vault name:
- Azure Key Vault key name:
- List of available UUIDs for MEKs indicating which key is active
- Error information if the KMS data cannot be accessed
View logs after encrypting and decrypting extracts:
Publish extracts on your website and then encrypt them. See Extracting Encryption at Rest.
Access the extracts using Tableau Desktop or web authoring in a browser (this will decrypt the extracts for use).
Search the vizqlserver_node log file for and strings. The default position of the logs is on
Check the background logs for publications and extract updates related to the Azure Key Vault. For more information on log files, see Locations of Tableau Server Logs and Log Files.
In a multi-node setup for Azure Key Vault, the command can report a healthy (OK) status even if another node in the cluster is configured incorrectly. The KMS health check only reports the node that the Tableau Server Administration Controller process is running on. It is not reported on the other nodes in the cluster. By default, the Tableau Server Administration Controller process runs on the initial node in the cluster.
So if another node is configured incorrectly so that Tableau Server cannot access the Azure key, those nodes can report failure conditions for various services that cannot start.
If some services fail to start after setting KMS to Azure mode, run the following command to return to local mode:.
Update Azure Keys
You can update the Azure key in Azure. There is no required or scheduled key update period. You can update your key by creating a new key version in Azure. Because the vault name and key name do not change, you do not need to update the KMS configuration on Tableau Server for normal Azure key update scenarios.
Backup and restore with Azure Key Vault
A server backup can be performed in Azure Key Vault mode without additional configuration or procedures. The backup contains encrypted copies of the RMK and MEK. Decryption of the keys requires access and control through Azure Key Vault.
For the recovery scenario, the server to be recovered can be in either Azure Key Vault or Local KMS mode. The only requirement is that the server that the backup is being restored to has access to the Azure Key Vault that the backup itself used.
- What is your encounter with the paranormal
- How loud is 110db for a loudspeaker
- How does Netflix distribute videos
- How does MIT select professors
- Toast masters are free to sign up
- Which television actress is well educated
- What are some wonderful benefits of traveling
- Who are ZocDoc's competitors
- How do we Indians win a quarrel
- Psychopaths have you ever hurt someone permanently
- What is LinkedIn used for?
- Is Google Stadia an app
- What is the topic in these sentences
- There are secret bars in Chicago
- What is a Concrete Class in Java
- How do I betray parents
- What is the antibiotic susceptibility test
- What is Good Amazon Seller Reporting Software
- What does abstraction produce
- Blocks insulin from burning fat
- What can Herbalife products do
- Who is hosting the Emmy s
- How can I solve this problem
- Should I get a Masters in Taxation?
- When will Jio GigaFiber be launched in Mumbai?
- Who discovered Google
- Is Coutinho a better substitute for Iniesta
- Which smartphone has the longest battery?
- How did Krishna have his children
- A guru leaves his student
- What kind of music does moss butter play
- What is a virtual assistance service
- What is gun lobbying
- How many types of salts are there