Backing Up and Restoring Encryption Keys

An important part of report server configuration is creating a backup copy of the symmetric key used for encrypting sensitive information. A backup copy of the key is required for many routine operations, and enables you to reuse an existing report server database in a new installation. It is necessary to restore the backup copy of the encryption key when any of the following events occur:

  • Changing the Report Server Windows service account name or resetting the password. When you use the Reporting Services Configuration tool, backing up the key is part of a service account name change operation.

    Note

    Resetting the password is not the same as changing the password. A password reset requires permission to overwrite account information on the domain controller. Password resets are performed by a system administrator when you forget or do not know a particular password. Only password resets require symmetric key restoration. Periodically changing an account password does not require you to reset the symmetric key.

  • Renaming the computer or instance that hosts the report server (a report server instance is based on a SQL Server instance name).

  • Migrating a report server installation or configuring a report server to use a different report server database.

  • Recovering a report server installation due to hardware failure.

You only need to back up one copy of the symmetric key. There is a one-to-one correspondence between a report server database and a symmetric key. Although you only need to back up one copy, you might need to restore the key multiple times if you are running multiple report servers in a scale-out deployment model. Each report server instance will need its copy of the symmetric key to lock and unlock data in the report server database.

Backing Up the Encryption Keys to Disk

Backing up the symmetric key is a process that writes the key to a file that you specify, and then scrambles the key using a password that you provide. The symmetric key can never be stored in an unencrypted state so you must provide a password to scramble the key when you save it to disk. After the file is created, you must store it in a secure location and remember the password that is used to unlock the file. To backup the symmetric key, you can use either the Reporting Services Configuration tool or the rskeymgmt utility.

How to back up encryption keys (Reporting Services Configuration Tool)

  1. Start the Reporting Services Configuration tool, and then connect to the report server instance you want to configure.
  2. Click Encryption Keys, and then click Back Up.
  3. Type a strong password.
  4. Specify a file to contain the stored key. Reporting Services appends a .snk file extension to the file. Consider storing the file on a diskette so that it is separate from the report server.
  5. Click OK.

How to back up encryption keys (rskeymgmt)

  1. Insert a diskette into the floppy disk drive if you want to store the password-protected file separately from the report server.

  2. Run rskeymgmt.exe locally on the computer that hosts the report server. You must use the -e extract argument to copy the key, provide a file name, and specify a password. The following example illustrates the arguments you must specify:

    rskeymgmt -e -f a:\rsdbkey.snk -p<password>
    
  3. Store the diskette in a secure location.

Restoring the Encryption Keys

Restoring the symmetric key overwrites the existing symmetric key that is stored in the report server database. Restoring an encryption key replaces an unusable key with a copy that you previously saved to disk. Restoring encryption keys results in the following actions:

  • The symmetric key is opened from the password protected backup file.
  • The symmetric key is encrypted using the public key of the Report Server Windows service.
  • The encrypted symmetric key is stored in the report server database.
  • The previously stored symmetric key data (for example, key information that was already in the report server database from a previous deployment) is deleted.

To restore the encryption key, you must have a copy of the encryption key on file. You must also know the password that unlocks the stored copy. If you have the key and the password, you can run the Reporting Services Configuration tool or rskeymgmt utility to restore the key. The symmetric key must be the same one that locks and unlocks encrypted data currently stored in the report server database. If you restore a copy that is not valid, the report server cannot access the encrypted data currently stored in the report server database. If this occurs, you might need to delete all encrypted values if you cannot restore a valid key. If for some reason you cannot restore the encryption key (for example, if you do not have a backup copy), you must delete the existing key and encrypted content. For more information, see Deleting and Re-creating Encryption Keys. For more information about creating symmetric keys, see Initializing a Report Server.

How to restore encryption keys (Reporting Services Configuration Tool)

  1. Start the Reporting Services Configuration tool, and then connect to the report server instance you want to configure.
  2. On the Encryption Keys page, click Restore.
  3. Select the .snk file that contains the back up copy.
  4. Type the password that unlocks the file.
  5. Click OK.

How to restore encryption keys (rskeymgmt)

  1. Insert the diskette that contains the backup copy of the encryption key.

  2. Run rskeymgmt.exe locally on the computer that hosts the report server. Use the -a argument to restore the keys. You must provide a fully-qualified file name and specify a password. The following example illustrates the arguments you must specify:

    rskeymgmt -a -f a:\rsdbkey.snk -p<password>
    

See Also

Concepts

Managing Encryption Keys
Reporting Services Configuration Tool
Backup and Restore Operations for a Reporting Services Installation

Other Resources

rskeymgmt Utility

Help and Information

Getting SQL Server 2005 Assistance