Azure Key Vault

Tableau Server has three Key Management System (KMS) options that allow you to enable encryption at rest. Two of these require the Server Management add-on, while a local one is available with all installations of Tableau Server.

Beginning in version 2019.3, Tableau Server added these KMS options: 

Beginning in version 2021.1, Tableau Server added another KMS option: 

  • An Azure-based KMS that comes as part of the Server Management add-on. This is described below.

Azure Key Vault for encryption at rest

Azure Key Vault is available as part of the Server Management Add-on to Tableau Server beginning in version 2021.1.0. For more information see About Tableau Server Management Add-on.

If your organization is deploying Data Extract Encryption at Rest, then you may optionally configure Tableau Server to use Azure Key Vault as the KMS for extract encryption. To enable Azure Key Vault, you must deploy Tableau Server in Azure. In the Azure scenario, Tableau Server uses the Azure Key Vault to encrypt the root master key (RMK) for all encrypted extracts. However, even when configured for Azure Key Vault, the Tableau Server native Java keystore and local KMS are still used for secure storage of secrets on Tableau Server. The Azure Key Vault is only used to encrypt the root master key for encrypted extracts.

The key hierarchy when Tableau Server is configured with Azure Key Vault

Configure Azure Key Vault for Tableau Server encrypted extracts

To use the Azure Key Vault to encrypt the root key in the Tableau Server KMS hierarchy, you must configure Tableau Server as described in this section.

Before you begin, verify that you meet the following requirements:

  • Tableau Server must be deployed in Azure.
  • Tableau Server must be configured with a Server Management Add-on license. See About Tableau Server Management Add-on.
  • You must have administrative control over the key vault in Azure where the key resides.

Step 1: Create a key vault and key for Tableau Server in Azure

The following procedures are performed in the Azure Key Vault service. References are included to Azure documentation.

  1. Create the key vault that you will use for Tableau Server. See the Azure topic, Create a key vault(Link opens in a new window).
  2. Create a key in the vault. See the Azure topic, Manage keys and secrets(Link opens in a new window).

    The key must be an asymmetric, RSA type, but can be any size (Tableau Server does not care about the key size). We recommend you use the Principle of Least Privilege to have maximum security.

    Tableau requires permissions to perform the GET, UNWRAP KEY, and WRAP KEY commands operations and we recommend you allow access for only these operations for least privilege. Assign the access policy to the VM you are running Tableau Server on.

    In a multi-node deployment of Tableau Server, the access policy must be assigned to all nodes of the server cluster.

Step 2: Collect Azure configuration parameters

You will need the key vault name and the key name from Azure.

Step 3: Configure Tableau Server for Azure Key Vault

Run the following command on Tableau Server. This command will restart the server:

  •                             tsm security kms set-mode azure --vault-name "<vault name>" --key-name "<key name>"

    The --vault-name and --key-name options a direct string copies from your Azure key vault.

    For example, if your Azure key vault is named tabsrv-keyvault and your key is tabsrv-sandbox-key01, then the command would be as follows:

    tsm security kms set-mode azure --vault-name "tabsrv-keyvault" --key-name "tabsrv-sandbox-key01"

Step 4: Enable encryption at rest

See Extract Encryption at Rest.

Step 5: Validate installation

  1. Run the following command:

    tsm security kms status

    The following information may be returned:

    • Status: OK (indicates the Key Vault is accessible by the controller node):
    • Mode: Azure Key Vault
    • Vault name: <key_vault_name>
    • Azure Key Vault key name: <key_name>
    • List of available UUIDs for MEKs indicating which key is active
    • Error information if the KMS data is not accessible
  2. View logs after you encrypt and decrypt extracts:

    • Publish extracts to your site and then encrypt them. See Extract Encryption at Rest.

    • Access the extracts with Tableau Desktop or with Web Authoring on a browser (this will decrypt the extracts for use).

    • Search the vizqlserver_node log files for the AzureKeyVaultEnvelopeAccessor and AzureKeyVaultEnvelope strings. The default location of the logs are at C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs

      For publishing and extract refreshes related to the Azure Key Vault, search the backgrounder logs. For more information about logs, see Tableau Server Logs and Log File Locations.

Troubleshoot configuration

Multi-node misconfiguration

In a multi-node setup for Azure Key Vault, the tsm security kms status command may report healthy (OK) status, even if another node in the cluster is misconfigured. The KMS status check only reports on the node where the Tableau Server Administration Controller process is running. It does not report on the other nodes in the cluster. By default the Tableau Server Administration Controller process runs on the initial node in the cluster.

Therefore, if another node is misconfigured so that Tableau Server is unable to access the Azure key, those nodes may report Error states for various services, which will fail to start.

If some services fail to start after you have set KMS to the "azure" mode, then run the following command to revert to local mode: tsm security kms set-mode local.

Refresh Azure Key

You refresh the Azure key in Azure. There is no required or scheduled key refresh period. You can refresh your key by creating a new key version in Azure. Because the Key Vault name and Key Name do not change, you do not need to update the KMS configuration on Tableau Server for normal Azure Key refresh scenarios.

Back up and restore with Azure Key Vault

A server backup can be taken in Azure Key Vault mode with no additional configurations or procedures. The backup contains encrypted copies of the RMK and MEKs. Decrypting the keys requires access and control of the Azure Key Vault.

For the restore scenario, the server being restored to can be in either Azure Key Vault or Local KMS mode. The only requirement is that the server to which the backup is being restored has access to the Azure Key Vault the backup itself used.

Thanks for your feedback!