Key Management

By now, you have seen what it takes to activate the Report Server(s). It is not trivial, and it does not take long for very important encrypted data to start filling the Report Server's catalog.

This poses the question of what to do about the encryption keys. The symmetric key is never exposed in an unencrypted fashion, and the public keys are tied to the account running the Report Server Windows service and web service. The database knows nothing. Should a hardware failure happen, it is relatively easy to restore the database and hook a new Report Server to it. However, the new machine will not be able to decrypt the data stored in the catalog. What's one to do?

Thankfully, the developers who wrote SSRS gave you a tool called rskeymgmt.exe . The Reporting Services Configuration Manager (shown in Figure 21.2) also contains similar functionality. Both tools allow you to back up and restore the symmetric key. Effectively, these two tools allow end users to perform the following tasks :

• Perform a backup of the symmetric key. This provides safeguards against disaster recovery, and provides a helpful tool to perform a server migration.

• Restore a symmetric key from another Report Server instance over to the current installation.

• Change the symmetric key and reencrypt all data in a Report Server database. This is helpful should the key ever get compromised, a key individual leave the organization, or as a proactive practice to safeguard the data.

Figure 21.2. Encryption tab in the Reporting Services Configuration Manager.

Backing Up the Symmetric Key

Taking a backup of the symmetric key should be performed immediately after installing SSRS. Because there is only one symmetric key for every Report Server database, the backup only needs to be performed once unless the key is changed or the backup is lost. Always have a backup of the symmetric key handy. The following list describes some situations in which the backup will become useful:

• Changing the service account under which the Report Server Windows service runs, or changing its password

• Renaming the machine or changing the instance name of the SQL Server relational engine that hosts the Report Server database

• Migrating or changing the Report Server database of an existing installation

• Restoring the Report Server installation due to hardware failure

To back up the symmetric key, you must have a password to give to the utility. The password is used as an encryption key to encrypt the symmetric key before saving it. This ensures that the symmetric key is never seen unencrypted. Don't forget the password or let it be compromised.

You can complete the following steps to back up the symmetric key with the Reporting Service Configuration Manager:

In a similar fashion, this can be done from the command line with the rskeymgmt.exe utility:

 rskeymgmt -e -f rsdbkey.snk -p<  password  > 

Restoring the Symmetric Key

Should disaster ever strike, and the key needs to be restored, you must have both the files with the key and the password for that file. Should the restored backup not contain a valid symmetric key for the Report Server database, the Report Server will not be able to unencrypt the data. In the absolute worst case, an administrator might have to delete all the encrypted data, and then reenter it.

To restore the symmetric key with the Reporting Service Configuration Manager:

To do the same thing from the command line, run the following command:

 rskeymgmt -a -f rsdbkey.snk -p< 

Changing the Symmetric Key

Changing the symmetric key involves generating a new key, and reencrypting all encrypted data that was stored using the old key. It is certainly not something that needs to happen every day, although it is a good idea to do it from time to time as a best practice. Think of it as changing the administrator or sa password. The processes should also be done when the key has been compromised.

To change the symmetric key, the web service for the SSRS needs to be disabled. In a scale-out situation, all machines running the web service must be disabled. When the key has been successfully changed, the administrator can reenable the web service on the Report Server(s). To disable the web access to SSRS, use the SQL Server Surface Area Configuration Tool:

Remember to do this for every machine in a scale-out situation. After the web service has been disabled, changing the symmetric encryption keys is fairly straightforward. To change the symmetric key with the Reporting Service Configuration Manager, complete the following steps:

to acknowledge the computer(s), instance number, and installation ID.

The command to do this via the command line is also fairly simple:

 rskeymgmt -s 

Before changing the encryption key for a Report Server installation via the command line, you need to stop the web service and HTTP access. After the change is complete, you need to restart the windows service and reenable the web service. For a scale-out deployment, this needs to be done on all of the Report Servers. After the key has been updated, the administrator can reenable web access.

Deleting the Symmetric Key

By deleting the symmetric key, you give up any hope of ever retrieving the encrypted data. All of it will have to be reentered from the ground up. In a scale-out situation, all of the Report Servers deployed will have to be reinitialized. Proceed with extreme caution. After the keys have been deleted, the following items will definitely be affected:

• Data source connection strings

• Credentials stored in the catalog

• Reports that are based on Report Builder models (the models use shared data sources)

• Subscriptions

To delete the symmetric key with the Reporting Service Configuration Manager, complete the following steps:

The command to do this via the command line is also deceptively simple:

 rskeymgmt -d 

After deleting the encryption keys, you need to restart the Report Server Windows service. For a scale-out deployment, you need to restart the Report Server Windows service on all Report Server instances.