Tableau Server has three Key Management System (KMS) options that allow you to enable encryption at rest. One is a local option that is available with all installations of Tableau Server. Two additional options require the Server Management add-on, but allow you to use a different KMS.
Beginning in version 2019.3, Tableau Server added these KMS options:
- A local KMS that is available with all installations. This is described below.
- An AWS-based KMS that comes as part of the Server Management add-on. For details, see AWS Key Management System.
Beginning in version 2021.1, Tableau Server added another KMS option:
- An Azure-based KMS that comes as part of the Server Management add-on. For details, see Azure Key Vault.
Tableau Server local KMS
The Tableau Server local KMS uses the secret storage capability described in Manage Server Secrets to encrypt and store the master extract key. In this scenario, the Java keystore serves as the root of the key hierarchy. The Java keystore is installed with Tableau Server. Access to the master key is managed by native file system authorisation mechanisms by the operating system. In the default configuration, the Tableau Server local KMS is used for encrypted extracts. The key hierarchy for local KMS and encrypted extracts is illustrated here:
In a multi-node setup for AWS KMS, the
tsm security kms status command may report healthy (OK) status, even if another node in the cluster is misconfigured. The KMS status check only reports on the node where the Tableau Server Administration Controller process is running and does not report on the other nodes in the cluster. By default the Tableau Server Administration Controller process runs on the initial node in the cluster.
Therefore, if another node is misconfigured such that Tableau Server is unable to access the AWS CMK, those nodes may report Error states for various services, which will fail to start.
If some services fail to start after you have set KMS to the AWS mode, then run the following command to revert to local mode:
tsm security kms set-mode local.
Regenerate RMK and MEK on Tableau Server
To regenerate the root master key and the master encryption keys on Tableau Server, run the
tsm security regenerate-internal-tokens command.