Customer-Managed Encryption Keys

Applies to: Tableau Advanced Management, Tableau Cloud

Customer-Managed Encryption Keys gives you an extra level of security by allowing you to encrypt your site data extracts with a customer managed site-specific key. The Salesforce Key Management System (KMS) instance stores the default site-specific encryption key for anyone who enables encryption on a site.

To use an external key management system instead of Salesforce's, see Use an External KMS for Extract Encryption Keys.

Encryption process

The encryption process follows a key hierarchy. First, Tableau Cloud encrypts an extract. Next, Tableau Cloud KMS checks its key caches for a suitable data key. If a key isn’t found, one is generated by the KMS GenerateDataKey API, using the permission granted by the key policy that's associated with the key. KMS uses the CMK to generate a data key and returns a plaintext copy and encrypted copy to Tableau Cloud. Tableau Cloud uses the plaintext copy of the data key to encrypt the data and stores the encrypted copy of the key along with the encrypted data.

Enable encryption

After you enable encryption, Tableau Cloud will create a job for every extract on your site to get encrypted. These jobs are the lowest priority. Any previously set extract job runs before the encrypted extracts job. When there are extra resources, these jobs run encryption on all extracts without needing to be refreshed.

To enable encryption complete the following steps.
  1. Log in to your Tableau Cloud site.
  2. Select Settings in the left navigation pane
  3. Select the Security tab.
  4. Under the Extract Encryption section, select Encrypt Extracts.
  5. Select Use the Salesforce KMS.
  6. Read the warning about enabling encryption and then select Enable Encryption.

Note: To turn off extract encryption, contact your account manager.

Generate and rotate a key

You can rotate a key on your company’s schedule for extra security. Rotating a key creates a key based on the original key.

Note: If there’s a long refresh rate or if the extract isn’t refreshed, the extract is encrypted with the last active key instead of the new key.

To rotate a key complete the following steps.
  1. Select the Security tab.
  2. Under Extract Encryption, select Generate Key.

Disable encryption

You can turn off encryption by contacting your account manager. If your Advanced Management license is inactive, your extracts remain decrypted until it’s reactivated.

Delete a key (non-recoverable data extracts)

Warning: If you delete a key, there isn't a way to regain access to the data extracts.

Delete the key only if there’s a dire security incident. You can’t access your data extracts after you’ve deleted the key. Any data extracts tied to the deleted key are permanently unavailable.

Note: If you want to disable the encryption and keep your key see Disable Encryption.

To delete a key complete the following steps.
  1. Select the Security tab.
  2. Under Extract Encryption, in Actions, select Delete Key....
  3. In the text field, enter Delete Key.

    Warning: You can’t access your data extracts after you’ve deleted the key. Delete the key only if there’s a dire security incident.

  4. Select Delete Key or Cancel.

Audit logs

You can download audit logs to review operations performed on your keys including creation, rotation, deletion, decryption, and downloading logs. The audit log also includes the following information.

  • Date and Time
  • Event Type
  • Success or Failure
  • Authenticated Identity of calling service
  • User
  • Key name

Frequently asked questions (FAQ)

Question:

What happens if I don’t renew my Advanced Management license?

Answer:

If you don’t renew the Advanced Management license, the Customer-Managed Encryption Keys feature automatically changes to a disabled state.

Question:

What happens to my key data if I stop being a Tableau Cloud customer?

Answer:

Per the Tableau Cloud data policy, there’s a 90-day wait period before your key data gets deleted.

Question:

What happens if I move to a different Tableau Cloud region?

Answer:

The key data is in the Salesforce (KMS) instance that’s in the same region as your Tableau Cloud pod. If you want to move to another region, you must turn off the feature and run your extracts first.

Back to top
Thanks for your feedback!Your feedback has been successfully submitted. Thank you!