Tableau Server Key Management System

Tableau Server has three Key Management System (KMS) options that allow you to enable encryption at rest. One is a local option that is available with all installations of Tableau Server. Two additional options require the Server Management add-on, but allow you to use a different KMS.

Beginning in version 2019.3, Tableau Server added these KMS options: 

  • A local KMS that is available with all installations. This is described below.
  • An AWS-based KMS that comes as part of the Server Management add-on. For details, see AWS Key Management System.

Beginning in version 2021.1, Tableau Server added another KMS option: 

  • An Azure-based KMS that comes as part of the Server Management add-on. For details, see Azure Key Vault.

Tableau Server local KMS

The Tableau Server local KMS uses the secret storage capability described in Manage Server Secrets to encrypt and store the master extract key. In this scenario, the Java keystore serves as the root of the key hierarchy. The Java keystore is installed with Tableau Server. Access to the master key is managed by native file system authorization mechanisms by the operating system. In the default configuration, the Tableau Server local KMS is used for encrypted extracts. The key hierarchy for local KMS and encrypted extracts is illustrated here:

Troubleshoot configuration

Multi-node misconfiguration

In a multi-node setup for AWS KMS, the tsm security kms status command may report healthy (OK) status, even if another node in the cluster is misconfigured. The KMS status check only reports on the node where the Tableau Server Administration Controller process is running and does not report on the other nodes in the cluster. By default the Tableau Server Administration Controller process runs on the initial node in the cluster.

Therefore, if another node is misconfigured such that Tableau Server is unable to access the AWS CMK, those nodes may report Error states for various services, which will fail to start.

If some services fail to start after you have set KMS to the AWS mode, then run the following command to revert to local mode: tsm security kms set-mode local.

Regenerate RMK and MEK on Tableau Server

To regenerate the root master key and the master encryption keys on Tableau Server, run the tsm security regenerate-internal-tokens command.

Thanks for your feedback!