1. | Open the Reporting Services Configuration Manager and click on the Encryption Keys tab. |
2. | Click Backup. |
3. | Enter a strong password, and enter the location in which to store the resulting file. |
4. | Click OK. |
In a similar fashion, this can be done from the command line with the rskeymgmt.exe utility:
rskeymgmt -e -f rsdbkey.snk -p< password >
Should disaster ever strike, and the key needs to be restored, you must have both the files with the key and the password for that file. Should the restored backup not contain a valid symmetric key for the Report Server database, the Report Server will not be able to unencrypt the data. In the absolute worst case, an administrator might have to delete all the encrypted data, and then reenter it.
To restore the symmetric key with the Reporting Service Configuration Manager:
1. | Open the Reporting Services Configuration Manager and click on the Encryption Keys tab. |
2. | Click Restore. |
3. | Select the location of the file (in most cases this is the *.snk file), which contains the symmetric key. Type the password that unlocks the file. |
4. | Click OK. |
To do the same thing from the command line, run the following command:
rskeymgmt -a -f rsdbkey.snk -p<
Changing the symmetric key involves generating a new key, and reencrypting all encrypted data that was stored using the old key. It is certainly not something that needs to happen every day, although it is a good idea to do it from time to time as a best practice. Think of it as changing the administrator or sa password. The processes should also be done when the key has been compromised.
To change the symmetric key, the web service for the SSRS needs to be disabled. In a scale-out situation, all machines running the web service must be disabled. When the key has been successfully changed, the administrator can reenable the web service on the Report Server(s). To disable the web access to SSRS, use the SQL Server Surface Area Configuration Tool:
1. | Open the Surface Area Configuration Tool and select Surface Area Configuration for Features. |
2. | Select Reporting Services from the navigation menu on the left. |
3. | Select Web Service and HTTP Access. |
4. | Uncheck the Enable Web Service and HTTP Access check box. |
5. | Click Apply. |
Remember to do this for every machine in a scale-out situation. After the web service has been disabled, changing the symmetric encryption keys is fairly straightforward. To change the symmetric key with the Reporting Service Configuration Manager, complete the following steps:
1. | Open the Reporting Services Configuration Manager and click the Encryption Keys tab. |
2. | Click Change. |
3. | Click OK |
to acknowledge the computer(s), instance number, and installation ID.
The command to do this via the command line is also fairly simple:
rskeymgmt -s
Before changing the encryption key for a Report Server installation via the command line, you need to stop the web service and HTTP access. After the change is complete, you need to restart the windows service and reenable the web service. For a scale-out deployment, this needs to be done on all of the Report Servers. After the key has been updated, the administrator can reenable web access.
By deleting the symmetric key, you give up any hope of ever retrieving the encrypted data. All of it will have to be reentered from the ground up. In a scale-out situation, all of the Report Servers deployed will have to be reinitialized. Proceed with extreme caution. After the keys have been deleted, the following items will definitely be affected:
Data source connection strings
Credentials stored in the catalog
Reports that are based on Report Builder models (the models use shared data sources)
Subscriptions
To delete the symmetric key with the Reporting Service Configuration Manager, complete the following steps:
1. | Open the Reporting Services Configuration Manager and click the Encryption Keys tab. |
2. | Click Delete. |
Click. | OK. |
The command to do this via the command line is also deceptively simple:
rskeymgmt -d
After deleting the encryption keys, you need to restart the Report Server Windows service. For a scale-out deployment, you need to restart the Report Server Windows service on all Report Server instances.