Tableau Server Key Management System
Tableau Server has three Key Management System (KMS) options that allow you to enable encryption at rest. One is a local option that is available with all installations of Tableau Server. Two additional options require Advanced Management capabilities, but allow you to use a different KMS.
Important: As of September 16, 2024, Advanced Management is no longer available as an independent add-on option. Advanced Management capabilities are only available if you previously purchased Advanced Management, or if you purchase certain license editions - either Tableau Enterprise (for Tableau Server or Tableau Cloud) or Tableau+ (for Tableau Cloud).
Beginning in version 2019.3, Tableau Server added these KMS options:
- A local KMS that is available with all installations. This is described below.
- An AWS-based KMS that comes as part of Advanced Management. For details, see AWS Key Management System.
Beginning in version 2021.1, Tableau Server added another KMS option:
- An Azure-based KMS that comes as part of Advanced Management. For details, see Azure Key Vault.
Tableau Server local KMS
The Tableau Server local KMS uses the secret storage capability described in Manage Server Secrets to encrypt and store the master extract key. In this scenario, the Java keystore serves as the root of the key hierarchy. The Java keystore is installed with Tableau Server. Access to the master key is managed by native file system authorization mechanisms by the operating system. In the default configuration, the Tableau Server local KMS is used for encrypted extracts. The key hierarchy for local KMS and encrypted extracts is illustrated here:
Troubleshoot configuration
Multi-node misconfiguration
In a multi-node setup for AWS KMS, the tsm security kms status
command may report healthy (OK) status, even if another node in the cluster is misconfigured. The KMS status check only reports on the node where the Tableau Server Administration Controller process is running and does not report on the other nodes in the cluster. By default the Tableau Server Administration Controller process runs on the initial node in the cluster.
Therefore, if another node is misconfigured such that Tableau Server is unable to access the AWS CMK, those nodes may report Error states for various services, which will fail to start.
If some services fail to start after you have set KMS to the AWS mode, then run the following command to revert to local mode: tsm security kms set-mode local
.
Regenerate RMK and MEK on Tableau Server
To regenerate the root master key and the master encryption keys on Tableau Server, run the tsm security regenerate-internal-tokens
command.