Back up and restore SQL Server Reporting Services (SSRS) encryption keys

Applies to: SQL Server 2016 (13.x) and later versions Reporting Services Native Mode Reporting Services SharePoint mode

Learn how to back up and restore SSRS encryption keys by using the Report Server Configuration Manager and the rskeymgmt utility. You back up these keys to maintain the security and recoverability of your encrypted data. This process is essential when you change service account credentials, migrate installations, or recover from hardware failures. Use this process to ensure the integrity and availability of your report server environment.

Note

Reporting Services integration with SharePoint is no longer available after SQL Server 2016.

Restore the backup copy of the encryption key when you:

  • Change the Report Server Windows service account name or reset the password. By using the Report Server Configuration Manager, backing up the key is part of a service account name change operation.

    Note

    Resetting the password isn't the same as changing the password. A password reset requires permission to overwrite account information on the domain controller. System administrators reset passwords when you forget or don't know a particular password. Only password resets require symmetric key restoration. Periodically changing an account password doesn't require you to reset the symmetric key.

  • Rename the computer or instance that hosts the report server. A report server instance is based on a SQL Server instance name.
  • Migrate a report server installation or configure a report server to use a different report server database.
  • Recover a report server installation due to hardware failure.

Back up SharePoint mode report servers

For SharePoint mode report servers, you can either use PowerShell commands or use the management pages for the Reporting Services service application. For more information, see the "Key Management" section of Manage a Reporting Services SharePoint service application.

Prerequisites

  • SQL Server 2016 (13.x) or later.
  • Connection to a report server database.
  • Access to the Report Server Configuration Manager or the rskeymgmt utility.
  • Secure storage location for the backup file.

Back up encryption keys

You only need to back up one copy of the symmetric key. There's a one-to-one relationship between a report server database and a symmetric key. You only need to back up one copy, you might need to restore the key multiple times if you're running multiple report servers in a scale-out deployment model. Each report server instance needs its copy of the symmetric key to lock and unlock data in the report server database.

Backing up the symmetric key is a process that writes the key to a file that you specify, and then scrambles the key by using a password that you provide. The symmetric key isn't stored in an unencrypted state so you must provide a password to encrypt the key when you save it to disk. After you create the file, you must store it in a secure location and remember the password that's used to unlock the file.

Back up encryption keys with the Report Server Configuration Manager (Native mode)

  1. Start the Report Server Configuration Manager and connect to the report server instance you want to configure.
  2. Select Encryption Keys, and then select Backup.
  3. Specify a file to contain the stored key. Reporting Services appends a .snk file extension to the file. Consider storing the file on a disk separate from the report server.
  4. Enter a strong password.
  5. Select OK.

Back up encryption keys with the rskeymgmt utility (Native mode)

  • Run rskeymgmt.exe locally on the computer that hosts the report server. Use the -e extract argument to copy the key, provide a file name, and specify a password. The following example illustrates the required arguments:

    rskeymgmt -e -f d:\rsdbkey.snk -p<password>  
    

Restore encryption keys

When you restore the symmetric key, you replace the existing key in the report server database as follows:

  • The symmetric key is retrieved from the password-protected backup file.
  • The symmetric key is encrypted by using the Report Server Windows service public key.
  • The newly encrypted symmetric key is stored in the report server database.
  • The previous symmetric key data is deleted.

To restore the encryption key, you must have the encryption key backup and the password you used to protect it. If you have the key and the password, you can run the Reporting Services Configuration Manager or rskeymgmt utility to restore the key. Keep in mind:

  • The symmetric key must match the one currently used to lock and unlock the encrypted data in the report server database.
  • If the restored key is valid, the report server can't access the encrypted data.
  • If you can't restore the key, you might need to delete all encrypted values.
  • If you don't have a backup copy, you must delete the existing key and encrypted content. For more information, see Delete and re-create encryption keys (Report Server Configuration Manager).

For more information about creating symmetric keys, see Initialize a Report Server (Report Server Configuration Manager).

Restore encryption keys with the Report Server Configuration Manager (Native mode)

  1. Start the Report Server Configuration Manager and connect to the report server instance you want to configure.
  2. Select Encryption Keys, and then select Restore.
  3. Select the .snk file that contains the backup copy of the encryption keys.
  4. Enter the password that unlocks the file.
  5. Select OK.

Restore encryption keys with the rskeymgmt utility (Native mode)

  • Run rskeymgmt.exe locally on the computer that hosts the report server. Use the -a argument to restore the keys. Provide a fully qualified file name and specify a password. The following example illustrates the arguments you must specify:

    rskeymgmt -a -f d:\rsdbkey.snk -p<password>