Share via


Managing the encryption key

Applies To: Office SharePoint Server 2007

This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.

 

The first server that the Single Sign-On (SSO) service is enabled on (see Configure the Microsoft Single Sign-On Service) becomes the encryption-key server. The encryption-key server generates and stores the encryption key. The encryption key is used to encrypt and decrypt the credentials that are stored in the SSO database.

Because the encryption key protects security credentials, we recommend that you create a new encryption key on a regular schedule (for example, every 90 days). We also recommend that you create a new encryption key immediately if you suspect that account credentials have been compromised.

The encryption key must be backed up each time a new key is created. You do not need to back up the encryption key at any other time (except when you are moving the encryption-key server role from one server to another). You must back up the encryption key from the encryption-key server locally; the key cannot be backed up remotely.

You can also use encryption key backup and restore to move the encryption-key server role from one server to another (other tasks must also be completed to move the encryption-key server role).

Note

You must open the Central Administration Web site on Microsoft Office SharePoint Server to manage the encryption key.

To manage the encryption key, do the following:

  1. On the top navigation bar, click Operations.

  2. On the Operations page, in the Security Configuration section, click Manage settings for single sign-on.

  3. On the Manage Settings for Single Sign-On page, in the Server Settings section, click Manage encryption key.

What do you want to do?

  • Create a new encryption key

  • Back up an encryption key

  • Restore an encryption key

Create a new encryption key

  1. On the Manage Encryption Key page, in the Encryption Key section, click Create Encryption Key.

  2. On the Create Encryption Key page, to re-encrypt existing credentials with the new key, select the Re-encrypt all credentials by using the new encryption key check box.

    Important

    If you do not re-encrypt the existing credentials with the new encryption key, users must retype their credentials for individual application definitions, and administrators must retype group credentials for group application definitions.

  3. Click OK.

Back up an encryption key

  1. On the Manage Encryption Key page, in the Drive list in the Encryption Key Backup section, click the removable media drive on which you want to store the encryption-key backup.

  2. Click Back Up.

Restore an encryption key

You should always back up the encryption key when you back up the single sign-on database because the database is useless without the encryption key. Also, before you replace an encryption-key server, make sure to back up the encryption key so that it can be restored on the new encryption-key server.

  1. On the Manage Encryption Key page, in the Drive list in the Encryption Key Restore section, click the removable media drive from which you want to restore the encryption-key backup.

  2. Click Restore.