Qlik Sense stores three types of passwords:
- PostgreSQL database password used by Qlik Sense Repository Service when accessing the repository database.
This password encrypted and stored in C:\Program Files\Qlik\Sense\Repository\Repository.exe.config.
Note, the Repository.exe.config file is not encrypted, only the password value within the file.
- Qlik Sense data connection passwords defined for Data Connections and User Directory Connectors (UDC) in QMC or Hub are stored in "dataconnecitons" table in Qlik Sense Repository Database (PostgreSQL).
Note, passwords defined in Windows DSN or OLEDB configuration are not stored in Qlik Sense Repository Database.
Note: Qlik Sense doesn't store any end-user password. Authentication is always redirected to an authenticaiton solution which handles user password.
Affected releases:
- Qlik Sense Enterprise on Windows, all releases
- Qlik Analytics Platform, all releases
Qlik Sense Enterprise on Windows encrypts passwords with .NET ProtectedData.Protect method, which applies Windows Encryption DPAPI (Data Protection API).
Is reversible encryption used (e.g. DES, 3DES, AES, etc.)?
Yes. Passwords are encrypted with AES256 encryption.
Using secure cryptographic one-way hash function (such as SHA-256) of the password, without use of the salt?
No
Using secure cryptographic one-way hash function (such as SHA-256) of the salted password (common salt)?
No
Using secure cryptographic one-way hash function (such as SHA-256) of the salted password (individual salt)?
Yes
How long is the salt?
The salt length is 16 bytes
Using a dedicated password-based key derivation function, such as bcrypt, PBKDF2 or scrypt?
No key derivation function. Only the key provided with the cert is used.
Are the salts stored in the same database/table where the credentials are stored?
Salts are stored in the same database/table as the encrypted credentials
