Use an External KMS for Extract Encryption Keys

Applies to: Tableau Cloud

Many organizations require direct control over the encryption keys that protect their business-critical data. Using an external key management service (KMS) addresses this by allowing customers to maintain control of their encryption keys with a trusted external key management vendor. By providing direct control over encryption keys, using an external KMS significantly enhances the security posture for organizations, particularly those concerned about unauthorized access to these critical keys.

Furthermore, for many organizations, the ability to control their encryption keys externally is crucial for meeting various regulatory and compliance mandates. And direct control over encryption keys assists organizations in maintaining data sovereignty, which is important for legal and geographical considerations of data storage and access.

As of October 2025, Tableau Cloud offers external key management exclusively through the Amazon Web Services (AWS) KMS.

Note: The External KMS feature is only available on Tableau Cloud with Tableau +, Tableau Enterprise, or Advanced Management.

The Key Hierarchy

The encryption process when using an external KMS follows a distinct key hierarchy to ensure data security and allow customers to maintain direct control over their encryption keys.

The key hierarchy when using an external KMS is:

  • Customer Master Key (CMK): The CMK is the root key in the hierarchy, created and controlled by the customer within the AWS KMS. The list of keys in Tableau is a list of the CMKs in the AWS KMS.
  • Key-Encrypting Key (KEK): KEKs are descended from the CMK and are used to encrypt the Data-Encrypting Keys (DEKs).
  • Data-Encrypting Key (DEK): DEKs are descended from the KEKs, and are lowest-level keys in the hierarchy. The DEKs are the keys that are directly used to encrypt and decrypt extracts.

Key States in Tableau Cloud

When using an external KMS, the keys in Tableau have the following states and capabilities:

  • Pending - You generated the key, but aren't using it yet. It can't be used to write or read any extracts until you activate it.
  • Active - The key is being used to write extracts, and to read extracts that it wrote.
  • Archived - The key was active in the past, but was superseded by a later key. It's not being used to write extracts, but is being used to read extracts that it wrote.
  • Deactivated - The key was active then archived in the past. It's not being used for reading or writing any extracts.

State & Capability Quick Reference

Key status Can write/encrypt extracts Can read/decrypt extracts
Pending    
Active
Archived  
Deactivated    

Setup Overview

The summary-level steps to use the AWS KMS with Tableau are:

  • AWS KMS: Create the customer master key (CMK).
  • Tableau Cloud: Enable extract encryption (or migrate from customer-managed encryption keys, which uses the Salesforce KMS).
  • Tableau Cloud: Generate a key in Tableau, using the customer master key's ARN from the AWS KMS.
  • AWS KMS: Add the Tableau key policy JSON to the AWS customer master key's policy.
  • Tableau Cloud: Activate the key.

Setup Details

Create a Master Key in the AWS KMS

Key encrypting keys (KEKs) and data encrypting keys (DEKs) that Tableau uses are based on customer master keys (CMKs) that you create in the AWS KMS(Link opens in a new window). Therefore, you must have a CMK in the AWS KMS before Tableau can generate KEKs and DEKs. If you need help creating a key in the AWS KMS, consult with your local key expert.

The Tableau key generation dialog contains a link to the AWS KMS(Link opens in a new window). You can create the AWS master key at that point in the process, or you can create it before starting the key generation process in Tableau.

AWS keys are uniquely identified by an Amazon Resource Name (ARN). You are asked to provide the CMK ARN during the Tableau key generation process. Key ARNs are formatted like:

arn:aws:kms:us-east-2:123456789012:key/12345678-90ab-cdef-1234-567890abcdef

Enable Extract Encryption with an External KMS

Note: Once you enable encryption, you can't easily disable it. Similarly, switching from customer-managed encryption keys (using the Salesforce KMS) to an external KMS is permanent and can't be undone without help from your account manager.

To enable an external KMS:

  1. Log in to your Tableau Cloud site.
  2. Select Settings in the left navigation pane
  3. Select the Security tab.
  4. Under the Extract Encryption section, select Encrypt Extracts.
  5. Select Use an external KMS.
  6. Select Generate Key.
    • If you're migrating from the Salesforce KMS to an external KMS, read the warning, then select Switch to External KMS.

Generate a Key

You must generate a key and then activate it to write encrypted extracts. If you already have an active key, you generate another key as a first step towards replacing the currently active key.

To generate a key in Tableau:

  1. Log in to your Tableau Cloud site.
  2. Select Settings in the left navigation pane
  3. Select the Security tab.
  4. Under the Extract Encryption section, select Generate Key.
  5. If you're generating the first key for a site, you see the Configure the AWS KMS dialog. If you already have an active key, proceed through the Generate Key confirmation dialog first.
  6. Select Launch the AWS KMS. You're prompted for AWS login if you're not already logged in.
  7. In the AWS KMS, create a new key or find an existing one, then copy the key ARN.
  8. Return to the Tableau Configure the AWS KMS dialog and paste the key ARN into the Key ARN from AWS field.
  9. Optionally, enter a Description.
  10. Select Next (or Enable Encryption, if this is the first key for the site).
  11. Select Done to add the key policy JSON to the AWS KMS later, or follow Use an External KMS for Extract Encryption Keys to do it now.

The key can't be used to read or write extracts until you add the key policy JSON to the AWS KMS policy and then activate it.

Add Key Policy JSON to KMS Key Policy

A newly-generated key has a status of Pending, and can't be used to write or read extracts until you add the key policy JSON to the AWS KMS policy and then activate it.

To see the key policy JSON, continue from the Generate a Key process.

Or, if you're not continuing from that process:

  1. Log in to your Tableau Cloud site.
  2. Select Settings in the left navigation pane
  3. Select the Security tab.
  4. Under the Extract Encryption section, select the actions menu (...) next to the appropriate Pending key.
  5. Select Key Policy.

To add the key policy JSON to the AWS KMS policy, you need to copy the relevant Statement object from Tableau to the policy JSON in the AWS KMS. You only need part of the complete JSON text. Selecting Copy Key Policy, pasting into a text editor, and manipulating the JSON there may be easier than working in the dialog.

From the JSON text, copy the object in the Statement array. Then, in the AWS KMS key's policy, add the copied text to the Statement array, following standard JSON syntax. (You will probably have to add a comma to the end of the existing AWS KMS's Statement before adding the new JSON.)

Example:

The highlighted portion is the section to add to the AWS KMS policy:

{
    "Version": "2012-10-17",
    "Id": "sfdc-key-access-policy",
    "Statement": [

        {
            "Sid": "AllowSalesforceShieldKeyBroker1234567890abc",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:sts::123456789abc:assumed-role/EkmAwsKmsAccessRole/1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ12"
            },
            "Action": [
                "kms:GenerateDataKey*",
                "kms:Decrypt"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:sf-auth": "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQ"
                }
            }
        }

    ]
}

Activate a Key

Activate a key to use it for reading and writing new extracts. The Activate Key action is only available on a Pending key.

  1. Log in to your Tableau Cloud site.
  2. Select Settings in the left navigation pane
  3. Select the Security tab.
  4. Under the Extract Encryption section, select the actions menu (...) next to the appropriate Pending key.
  5. Select Activate Key....

If you already have an active key, activating a new key changes the existing key to status to Archived. An archived key is only used to read extracts that it wrote. The new key will become Active, and will be used to write new extracts and read extracts that it wrote.

Note: After you enable encryption and activate the first key on a site, Tableau Cloud creates an extract encryption background job for each extract on your site. These jobs are set to the lowest priority, meaning they run only when there are extra resources. Existing extract refresh jobs run before extracts are encrypted.

Other Actions

Archive a Key

Archived keys can read extracts they wrote, but aren't used to write new extracts. The only way to archive a key is by activating a new key. See Activate a Key.

Deactivate a Key

Deactivate an archived key to make it unusable for reading or writing any extracts. You might want to do this if the key has been compromised. The Deactivate Key action is only available on an Archived key.

When you deactivate a key, it can't be used to read extracts it wrote (in contrast to an archived key, which can read extracts it wrote). This means that some extract-based content could stop working if it hasn't been encrypted with an active key. If you need to retain access to extract-based content that uses the old key, make sure the extracts are refreshed with an active key before deactivating the old one.

Note: You can Restore a deactivated key if you need to. Restoring a key will change it from Deactivated to Archived. See Restore a Key.

To deactivate a key:

  1. Log in to your Tableau Cloud site.
  2. Select Settings in the left navigation pane
  3. Select the Security tab.
  4. Under Extract Encryption section, select the actions menu (...) next to the appropriate Archived key.
  5. Select Deactivate Key....
  6. Enter "Deactivate this key" into the text field to confirm your action.
  7. Select Deactivate Key.

Restore a Key

Restore a deactivated key to make it usable for reading extracts it wrote. The Restore Key action is only available on a Deactivated key, and changes it to Archived.

When you restore a key to the archived state, it won't be used to write any extracts. It's only used to read extracts that it wrote.

  1. Log in to your Tableau Cloud site.
  2. Select Settings in the left navigation pane
  3. Select the Security tab.
  4. Under Extract Encryption section, select the actions menu (...) next to the appropriate Deactivated key.
  5. Select Restore Key....
  6. Select Restore Key.

Delete a Key

You can't delete keys in Tableau Cloud. A key can only be archived (which retains the ability to read content it wrote), or deactivated (which can neither read nor write). See Key States in Tableau Cloud.

Note: If you disable the customer master key (CMK) in the AWS KMS, Tableau keys descended from it stop working for encryption or decryption. Likewise, if you remove the Tableau-generated clause from the CMK's policy in the AWS KMS, Tableau keys descended from it stop working.

See Key Policy

The Key Policy dialog shows the key policy JSON for adding to the AWS KMS key's policy. The key policy JSON can be added during the Generate a Key process, or later.

For more information, see Use an External KMS for Extract Encryption Keys.

To see the policy that should be added to the AWS KMS key's policy:

  1. Log in to your Tableau Cloud site.
  2. Select Settings in the left navigation pane
  3. Select the Security tab.
  4. Under the Extract Encryption section, select the actions menu (...) next to the appropriate key.
  5. Select Key Policy.

See Key History

Each row of the key history table shows an event, the key status after the event, and the date and time of the event.

To see a key's history:

  1. Log in to your Tableau Cloud site.
  2. Select Settings in the left navigation pane
  3. Select the Security tab.
  4. Under the Extract Encryption section, select the actions menu (...) next to the appropriate key.
  5. Select Key History.

Test Configuration

Use the Test Configuration action on a pending key to determine if it can be activated. Use the Test Configuration action on keys with other statuses to show whether they are working, should work, or won't work.

To test the configuration for a key:

  1. Log in to your Tableau Cloud site.
  2. Select Settings in the left navigation pane
  3. Select the Security tab.
  4. Under the Extract Encryption section, select the actions menu (...) next to the appropriate key.
  5. Select Test Configuration....

Success:

  • The key can be used to encrypt extracts. If the key is pending, it is safe to activate. If the key is already active, it is working.

Errors:

  • POLICY_DENIED - The external KMS doesn't have a policy that allows this key. Confirm that you've copied the policy from this key to the external KMS.
  • KEY_NOT_FOUND - The key wasn't found, or the key is deactivated in Tableau. Confirm the AWS KMS key ARN and policy.
  • UNKNOWN - An unknown error occurred. Make sure the key isn't disabled in the AWS KMS and try again.

Note: If you disable the customer master key (CMK) in the AWS KMS, Tableau keys descended from it stop working for encryption or decryption. Likewise, if you remove the Tableau-generated clause from the CMK's policy in the AWS KMS, Tableau keys descended from it stop working.

Migrate from Customer-Managed Encryption Keys to External KMS

Note: Switching from customer-managed encryption keys to an external KMS is permanent and can't be undone without help from your account manager.

Migrating from customer-managed encryption keys (which use Salesforce's KMS) to an external KMS is simple, but it's permanent and can't be undone without help from your account manager. After the change, you will manage your keys in the external KMS instead of Salesforce's KMS. Be sure that you understand how to perform basic key functions in the external KMS before you migrate from customer-managed encryption keys to an external KMS.

After the migration, the key derived from the external KMS will write new extracts. The Salesforce KMS key will continue to read extracts that it wrote, until the extracts are refreshed using the external KMS-based key.

For more information on customer-managed encryption keys and the Salesforce KMS, see Customer-Managed Encryption Keys(Link opens in a new window).

To migrate from customer-managed encryption keys to an external KMS:

  1. Log in to your Tableau Cloud site.
  2. Select Settings in the left navigation pane
  3. Select the Security tab.
  4. Under the Extract Encryption section, change the selection from Use the Salesforce KMS to Use an external KMS.
  5. Read the warning, then select Switch to External KMS.
Back to top
Thanks for your feedback!Your feedback has been successfully submitted. Thank you!