Extract Encryption at Rest

Extract encryption at rest is a data security feature that allows you to encrypt .hyper extracts while they are stored on Tableau Server.

Tableau Server administrators can enforce encryption of all extracts on their site or allow users to specify to encrypt all extracts associated with particular published workbooks or data sources.

Limitations

Before they can be encrypted, older .tde file extracts must be upgraded to .hyper file extracts. This happens automatically as a part of the encryption job. For more information about the impacts of extract upgrade, see Extract Upgrade to .hyper Format.

Temporary files and cache files are not encrypted at rest with this feature.

Workbooks (.twb) and data source files (.tds) are not encrypted with this feature. These files will contain metadata such a database table column names and formatting instructions. In certain cases, they may contain some row-level data if it is included in filters. 

Other data files, such as Excel or JSON files, are not encrypted with this feature unless they are converted to extracts before being published.

When extracts are downloaded from the server they are decrypted.

Performance Overview

Increase in Backgrounder Load

You may see a slight to moderate increase in backgrounder load when you turn on encryption at rest. Encryption and decryption are computationally intensive operations. Encryption at rest alters existing backgrounder jobs and introduces new jobs to run on backgrounder. The overall increase in backgrounder load depends on the number and size of affected extracts and how often the scenarios below apply.

  • Initial publishing: When publishing workbooks or data sources using extracts that should be encrypted, the encryption happens on the server’s backgrounders.
  • Extract refreshes from Tableau Server: Full and incremental refreshes of encrypted extracts on Tableau Server will consume slightly more CPU.
  • Extract refreshes from Tableau Bridge and third-party applications (e.g., Informatica, Alteryx): These flows will require new encryption jobs, scheduled on the backgrounders for any refreshed extract, resulting in a slight to moderate increase in backgrounder load.
  • Encrypting and decrypting extracts in already published workbooks and data sources: If the site setting for encryption at rest is set to Enable, users might choose to encrypt or decrypt extracts in already published workbooks and data sources on Tableau server. Depending on the number and size of extracts, this will add slight to moderate load on the backgrounders.
  • Changing a site’s encryption mode: When switching a site’s setting for encryption at rest to Disable or Enforce, the backgrounder will, respectively, decrypt or encrypt all existing extracts on the site. Depending on the number and size of extracts, this may significantly increase the load on backgrounders until all extracts are unencrypted or encrypted.
  • Rotating encryption keys: Rotating encryption keys results in the backgrounders re-encrypting all existing extracts published on that site, using fresh encryption keys. Depending on the number and size of extracts, this may significantly increase the load on backgrounders until all extracts are re-encrypted.

If running at or over capacity, consider:

  • Adding additional backgrounder processes and resources.
  • Letting users encrypt individual workbooks and data sources instead of enforcing encryption for the whole site or disable encryption at rest for sites where it isn't necessary. Note that scheduled and ad hoc extract refreshes will take precedence over encryption and decryption jobs.

Increase in Viz Load Time and Worker Load

Query performance, for example, when loading or interacting with a viz or dashboard, will require the data being decrypted once, when loaded from disk to memory. This will result in a slight increase in viz load time and CPU consumption on worker nodes for the first user loading a workbook. This will not affect other users accessing those workbooks at the same time because the data will already be decrypted in memory.

Impact on Backup and Restore

Encrypted extracts in backups remain encrypted. The size of backup files (.tbks) may increase up to 50-100% due to the ineffectiveness of compression on encrypted extracts. The size increase depends, among other factors, on the number of extracts that are encrypted. The time to restore a backup that contains encrypted extracts might increase slightly due to the time to exchange encryption keys.

If your Tableau Server installation has mostly or only encrypted extracts, consider disabling compression during backups to significantly improve the time backups take. To learn more about TSM backup, see tsm maintenance backup.

Enforce Encryption at Rest on a Site

Tableau Server administrators can enforce encryption of all extracts on their site.

  1. In a web browser, sign in to Tableau Server as a server administrator.
  2. Go to the site you want to configure.
  3. Click Settings.
  4. Scroll down to the Extract Encryption at Rest section.
    Click Enforce to encrypt all extracts that are published and stored on the site.
    Encrypting all existing extracts stored on the site may take a while.
  5. Click Save

Enable Encryption at Rest on a Site

Tableau Server administrators can allow users to specify to encrypt all extracts associated with particular published workbooks or data sources.

  1. In a web browser, sign in to Tableau Server as a server administrator.
  2. Go to the site you want to configure.
  3. Click Settings.
  4. Scroll down to the Extract Encryption at Rest section.
  5. Click Enable to allow users to optionally encrypt extracts on the site.
    Changing to Enable will cancel pending decryption jobs and pending encryption jobs. No encryption jobs are created.
  6. Click Save

Disable Encryption at Rest on a Site

  1. In a web browser, sign in to Tableau Server as a server administrator.
  2. Go to the site you want to configure.
  3. Click Settings.
  4. Scroll down to the Extract Encryption at Rest section.
  5. Click Disable to not allow encrypted extracts on the site.
    Changing to Disable will decrypt all existing encrypted extracts. Decrypting all extracts stored on the site may take a while.
  6. Click Save

View Extract Encryption Mode for All Sites

  1. On a multi-site server, click Manage all sites on the site menu.

    Note: The Manage all sites option only displays when you are signed in as a server administrator.

  2. Click Sites.
  3. The encryption mode of each site is displayed in the Extract encryption at rest column.

Encrypt or Decrypt Extracts for a Published Workbook or Data Source

Note: The option to encrypt or decrypt the extracts associated with particular published workbook or data source is only available when the site setting for encryption at rest is set to Enable. When a site is set to Disable, all content is not encrypted. When a site is set to Enforce, all content is encrypted.
Note: You must be the owner or administrator.

  1. Go to the published workbook or published data source page.
  2. Click the dropdown menu that says Encrypted Extract or Unencrypted Extract.
  3. Select Unencrypted.
    You will see a message that says, “Decrypting extract.”
    -or-
    Select Encrypted.
    An encryption job is started.

Alternatively, you can encrypt or decrypt extracts on the card view action menu, list view action menu, and action menu in the header section.

Encrypt or Decrypt Multiple Items

  1. Go to the Data Sources page.
  2. Select the check box beside one or more data sources.
  3. In the upper-left of the Data Sources page, click Actions.
  4. Click Encrypt or Decrypt.

View Encryption Status for a Single Item

  1. Sign in to the site.
  2. Go to a single data source page.
    -or-
    Go to a single workbook page for a workbook containing embedded data sources.
  3. The encryption status is displayed on the page.

Filter Data Sources by Encryption Status

  1. In the site, click Explore.
  2. At the top-right, click the Explore: Top-level Projects dropdown menu and select All Data Sources.
  3. Click the filter icon.
  4. Scroll down to the “Live or extract” section and select a filtering option: All, Live, Extracts, Unencrypted Extracts, Encrypted Extracts, Currently Encrypting, or Currently Decrypting.
  5. Select the checkbox beside “Include .tde and .hyper files” if you want to include “Live to .tde file” and “Live to .hyper file” connections in your filter results.

Filter Workbooks by Encryption Status

  1. In the site, click Explore.
  2. At the top-right, click the Explore: Top-level Projects dropdown menu and select All Workbooks.
  3. Click the filter icon.
  4. Scroll down to the “Live or extract” section and select a filtering option: All, Live, Extracts, Published, Unencrypted Extracts, Encrypted Extracts, Currently Encrypting, or Currently Decrypting.
  5. Select the checkbox beside “Include .tde and .hyper files” if you want to include “Live to .tde file” and “Live to .hyper file” connections in your filter results.
    Any workbooks that have at least one connection that matches the filter selection will be displayed.

View Status of Encrypt or Decrypt Extracts Background Tasks

  1. In the site, click Site Status.
  2. Click Background Tasks for Non Extracts to see completed and pending background task details.
    Note: Background Tasks for Non Extracts includes all tasks not related to extract refreshes, so it includes encryption jobs.
  3. In the Task menu, select Encrypt Extracts or Decrypt Extracts and click Apply.
  4. In the Time Range menu, select a range.
    You see "Encrypt Extracts" or "Decrypt Extracts" background tasks for all of your extract-based published data sources and workbooks.

The tabcmd Utility

The tabcmd command-line utility has commands and options to control extract encryption. For more information, see the tabcmd documentation.

Specify the extract encryption mode when you create a site

tabcmd createsite <site-name> --extract-encryption-mode [enforced | enabled | disabled]

Specify the extract encryption mode when you edit a site

tabcmd editsite <site-name> --extract-encryption-mode [enforced | enabled | disabled]

Get the extract encryption mode when you list sites

tabcmd listsites --get-extract-encryption-mode

Encrypt extracts when you publish a workbook, data source, or extract to the server

tabcmd publish "filename.hyper" –-encrypt-extracts

Decrypt all extracts on a site

Note: Depending on the number and size of extracts, this operation may consume significant server resources. Consider running this command outside of normal business hours.

tabcmd decryptextracts <site-name>

Encrypt all extracts on a site

Note: Depending on the number and size of extracts, this operation may consume significant server resources. Consider running this command outside of normal business hours.

tabcmd encryptextracts <site-name>

Reencrypt all extracts on a site with new encryption keys

If no site is specified, extracts on the default site will be reencrypted.

Note: Depending on the number and size of extracts, this operation may consume significant server resources. Consider running this command outside of normal business hours.

tabcmd reencryptextracts <site-name>

For more information, see reencryptextracts.

Tableau Server Rest API

With the Tableau Server REST API you can manage Tableau Server resources programmatically. You can use this access to create your own custom applications or to script interactions with Tableau Server resources.

To learn more, see Extract Encryption Methods.

Thanks for your feedback! There was an error submitting your feedback. Try again or send us a message.