Customer-Managed Encryption Keys gives you an extra level of security by allowing you to encrypt your site data extracts with a customer managed site-specific key. The Salesforce Key Management System (KMS) instance stores the default site-specific encryption key for anyone who enables encryption on a site.

Encryption Process

The encryption process follows a key hierarchy. First, Tableau Online encrypts an extract. Next, Tableau Online KMS checks its key caches for a suitable data key. If a key isn’t found, one is generated by the KMS GenerateDataKey API, using the permission granted by the key policy that's associated with the key. AWS KMS uses the CMK to generate a data key and returns a plaintext copy and encrypted copy to Tableau Online. Tableau Online uses the plaintext copy of the data key to encrypt the data and stores the encrypted copy of the key along with the encrypted data.

Enable Encryption

After you enable encryption, Tableau Online will create a job for every extract on your site to get encrypted. These jobs are the lowest priority. Any previously set extract job runs before the encrypted extracts job. When there are extra resources, these jobs run encryption on all extracts without needing to be refreshed.

To enable encryption complete the following steps.
  1. Select the General tab.
  2. Under Extract Encryption, select the checkbox next to Enable encryption of extract refreshes.
  3. Read the confirmation message and select OK to continue.
  4. Select Save. A confirmation message or an error message appears.

Note: To turn off extract encryption, contact your account manager.

Create a Key

Creating a key replaces and archives the current key. The new key is used for encryption in all future data extracts on your site. You can view the details of your previous key by downloading the log.

Note: Your key is tied to your Tableau Online region.

To create a key complete the following steps.
  1. Select the General tab.
  2. Under Extract Encryption, in Actions, select Create A Key.
  3. Select Create A Key or Cancel. A confirmation message appears.

Generate and Rotate a Key

You can rotate a key on your company’s schedule for extra security. Rotating a key creates a new key based on the original key.

Note: If there is a long refresh rate or if the extract isn’t refreshed, the extract is encrypted with the last active key instead of the new key.

To rotate a key complete the following steps.
  1. Select the General tab.
  2. Under Extract Encryption, in Actions, select Generate and Rotate Key.
  3. Select Generate and Rotate Key or Cancel. A confirmation message appears.

Disable Encryption

You can turn off encryption by contacting your account manager. If your Advanced Management license is inactive, your extracts remain decrypted until it’s reactivated.

Delete a Key (Non-Recoverable Data Extracts)

Warning: If you delete a key, there isn't a way to regain access to the data extracts.

Delete the key only if there’s a dire security incident. You can’t access your data extracts after you have deleted the key. Any data extracts tied to the deleted key are permanently unavailable.

Note: If you want to disable the encryption and keep your key see Disable Encryption.

To delete a key complete the following steps.
  1. Select the General tab.
  2. Under ExtractEncryption, in Actions, select Delete.
  3. In the text field, enter Delete Key.

Warning: You can’t access your data extracts after you have deleted the key. Delete the key only if there’s a dire security incident.

4. Choose Delete Encryption Key or Cancel. A confirmation or error message appears.

Audit Logs

You can download audit logs to review operations performed on your keys including creation, rotation, deletion, decryption, and downloading logs. The audit log also includes the following information.

  • Date and Time
  • Event Type
  • Success or Failure
  • Authenticated Identity of calling service
  • User
  • Key name

Frequently Asked Questions (FAQ)

Question:

What happens if I don’t renew my Advanced Management license?

Answer:

If you don’t renew the Advanced Management license, the Customer-Managed Encryption Keys feature automatically changes to a disabled state.

Question:

What happens to my key data if I stop being a Tableau Online customer?

Answer:

Per the Tableau Online data policy, there’s a 90-day wait period before your key data gets deleted.

Question:

What happens if I move to a different Tableau Online region?

Answer:

The key data is in the Salesforce (KMS) instance that’s in the same region as your Tableau Online pod. If you want to move to another region, you must turn off the feature and run your extracts first.

Thanks for your feedback!