Customer-Managed Encryption Keys

Customer-Managed Encryption Keys gives you an extra level of security by allowing you to encrypt your site data extracts with a customer managed site-specific key. The Salesforce Key Management System (KMS) instance stores the default site-specific encryption key for anyone who enables encryption on a site.

Encryption process

The encryption process follows a key hierarchy. First, Tableau Cloud encrypts an extract. Next, Tableau Cloud KMS checks its key caches for a suitable data key. If a key isn’t found, one is generated by the KMS GenerateDataKey API, using the permission granted by the key policy that's associated with the key. AWS KMS uses the CMK to generate a data key and returns a plaintext copy and encrypted copy to Tableau Cloud. Tableau Cloud uses the plaintext copy of the data key to encrypt the data and stores the encrypted copy of the key along with the encrypted data.

Enable encryption

After you enable encryption, Tableau Cloud will create a job for every extract on your site to get encrypted. These jobs are the lowest priority. Any previously set extract job runs before the encrypted extracts job. When there are extra resources, these jobs run encryption on all extracts without needing to be refreshed.

To enable encryption complete the following steps.
  1. Select the General tab.
  2. Under Extract Encryption, select the tick box next to Enable encryption of extract refreshes.
  3. Read the confirmation message and select OK to continue.
  4. Select Save. A confirmation message or an error message appears.

Note: To turn off extract encryption, contact your account manager.

Generate and rotate a key

You can rotate a key on your company’s schedule for extra security. Rotating a key creates a key based on the original key.

Note: If there’s a long refresh rate or if the extract isn’t refreshed, the extract is encrypted with the last active key instead of the new key.

To rotate a key complete the following steps.
  1. Select the General tab.
  2. Under Extract Encryption, in Actions, select Generate and Rotate Key.
  3. Select Generate and Rotate Key or Cancel. A confirmation message appears.

Disable encryption

You can turn off encryption by contacting your account manager. If your Advanced Management licence is inactive, your extracts remain decrypted until it’s reactivated.

Delete a key (non-recoverable data extracts)

Warning: If you delete a key, there isn't a way to regain access to the data extracts.

Delete the key only if there’s a dire security incident. You can’t access your data extracts after you’ve deleted the key. Any data extracts tied to the deleted key are permanently unavailable.

Note: If you want to disable the encryption and keep your key, see Disable Encryption.

To delete a key complete the following steps.
  1. Select the General tab.
  2. Under Extract Encryption, in Actions, select Delete.
  3. In the text field, enter Delete Key.

Warning: You can’t access your data extracts after you’ve deleted the key. Delete the key only if there’s a dire security incident.

4. Choose Delete Encryption Key or Cancel. A confirmation or error message appears.

Audit logs

You can download audit logs to review operations performed on your keys, including creation, rotation, deletion, decryption and downloading logs. The audit log also includes the following information.

  • Date and Time
  • Event Type
  • Success or Failure
  • Authenticated Identity of calling service
  • User
  • Key name

Frequently asked questions (FAQ)

Question:

What happens if I don’t renew my Advanced Management licence?

Answer:

If you don’t renew the Advanced Management licence, the Customer-Managed Encryption Keys feature automatically changes to a disabled state.

Question:

What happens to my key data if I stop being a Tableau Cloud customer?

Answer:

As per the Tableau Cloud data policy, there’s a 90-day waiting period before your key data gets deleted.

Question:

What happens if I move to a different Tableau Cloud region?

Answer:

The key data is in the Salesforce (KMS) instance that’s in the same region as your Tableau Cloud pod. If you want to move to another region, you must turn off the feature and run your extracts first.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!