How does Azure Key Vault

Azure Key Vault

Tableau Server has three key management options that you can use to enable encryption at rest. Two of these require the Server Management add-on, while a local option is available on all installations of Tableau Server.

Starting with version 2019.3, Tableau Server has the following key management options:

Starting with version 2021.1, Tableau Server has an additional key management option:

  • An Azure-based KMS that is used as part of the Server Management add-on. This is described below.

Azure Key Vault for encryption at rest

Azure Key Vault is available as part of the server management add-on for Tableau Server starting with version 2021.1.0. For more information, see About Tableau Server Management Add-on.

If your company provides data extract encryption at rest, you can optionally configure Tableau Server to use Azure Key Vault as the KMS for extract encryption. To activate Azure Key Vault, you need to deploy Tableau Server on Azure. In the Azure scenario, Tableau Server uses Azure Key Vault to encrypt the Root Master Key (RMK) for all encrypted extracts. Even when configured for Azure Key Vault, the Tableau Server native Java keystore and local KMS are still used to securely store secrets on the Tableau Server. Azure Key Vault is only used to encrypt the root master key for encrypted extracts.

The key hierarchy when configuring Tableau Server with Azure Key Vault

Configure Azure Key Vault for encrypted extracts from Tableau Server

To use Azure Key Vault to encrypt the root key in the Tableau Server KMS hierarchy, you must configure Tableau Server as described in this section.

Before you begin, make sure you meet the following requirements:

  • Tableau Server must be deployed in Azure.
  • The Tableau Server must be configured with a server management add-on license. See About Tableau Server Management Add-on.
  • You must have administrative control of the key vault in Azure where the key is located.

Step 1: Create a Key Vault and Key for Tableau Server on Azure

The following operations are performed in the Azure Key Vault service. References to this can be found in the Azure documentation.

  1. Create the key vault that you want to use for Tableau Server. See the Azure topic Create a Key Vault (link opens in a new window).
  2. Create a key in the vault. For more information, see the Azure topic, Managing Keys and Secrets (link opens in a new window).

    The key must be asymmetric and RSA type, but it can be any size (Tableau Server doesn't care about key size). We recommend that you adhere to the Principle of Least Privilege (PoLP) to ensure maximum security. Tableau requires the GET, UNWRAP KEY, and WRAP KEY commands, and it is recommended that you use these commands for the least amount of privilege. Assign the access policy to the VM running Tableau Server.

    In a multi-node deployment of Tableau Server, the access policy must be assigned to all nodes of the server cluster.

Step 2: Collect Azure configuration parameters

You need the key vault name and the key name from Azure.

Step 3: Configure Tableau Server for Azure Key Vault

Run the following command on Tableau Server. This command will restart the server:

  • The options and copy a direct string from your Azure key vault.

    For example, if your Azure Key Vault is named and your key is, the command is as follows:

Step 4: Activate encryption in sleep mode

See Extracting Encryption at Rest.

Step 5: Validate the installation

  1. Run the following command:

    The following information can be returned:

    • Status: OK (indicates that the key safe is accessible via the controller node):
    • Mode: Azure Key Vault
    • Vault name:
    • Azure Key Vault key name:
    • List of available UUIDs for MEKs indicating which key is active
    • Error information if the KMS data cannot be accessed
  2. View logs after encrypting and decrypting extracts:

    • Publish extracts on your website and then encrypt them. See Extracting Encryption at Rest.

    • Access the extracts using Tableau Desktop or web authoring in a browser (this will decrypt the extracts for use).

    • Search the vizqlserver_node log file for and strings. The default position of the logs is on

      Check the background logs for publications and extract updates related to the Azure Key Vault. For more information on log files, see Locations of Tableau Server Logs and Log Files.

Configuration troubleshooting

Multi-node misconfiguration

In a multi-node setup for Azure Key Vault, the command can report a healthy (OK) status even if another node in the cluster is configured incorrectly. The KMS health check only reports the node that the Tableau Server Administration Controller process is running on. It is not reported on the other nodes in the cluster. By default, the Tableau Server Administration Controller process runs on the initial node in the cluster.

So if another node is configured incorrectly so that Tableau Server cannot access the Azure key, those nodes can report failure conditions for various services that cannot start.

If some services fail to start after setting KMS to Azure mode, run the following command to return to local mode:.

Update Azure Keys

You can update the Azure key in Azure. There is no required or scheduled key update period. You can update your key by creating a new key version in Azure. Because the vault name and key name do not change, you do not need to update the KMS configuration on Tableau Server for normal Azure key update scenarios.

Backup and restore with Azure Key Vault

A server backup can be performed in Azure Key Vault mode without additional configuration or procedures. The backup contains encrypted copies of the RMK and MEK. Decryption of the keys requires access and control through Azure Key Vault.

For the recovery scenario, the server to be recovered can be in either Azure Key Vault or Local KMS mode. The only requirement is that the server that the backup is being restored to has access to the Azure Key Vault that the backup itself used.