Change the recovery key for an on-premises data gateway
Starting with the November 2019 version of the on-premises data gateway (version 3000.14.39), you can change the recovery key that you specified during gateway installation.
The gateway uses the recovery key to create extra keys that encrypt data source and connection credentials. For more information about encryption, go to When working with the on-premises data gateway, how are recovery keys used and where are they stored? in the Power BI security whitepaper.
When you change the key, the process depends on whether you're using the gateway with Power BI or with another service:
For Power BI, credentials for connections that use the gateway are automatically encrypted again with the new key.
For other services, like Power Apps and Power Automate, connections aren't automatically encrypted with the new key. You must edit each connection to trigger encryption with the new key.
Change the recovery key
Use the following steps to change the recovery key.
Open the on-premises data gateway app and sign in. If you have multiple gateway members in a cluster, you must sign in to the primary member.
On the Recovery Keys tab, select Set new recovery key. In a cluster with more than one member, this action disables all other gateway members. You re-enable these members later in this process.
Enter the current recovery key and the new one.
Select Configure to change the recovery key. This step performs a recovery of the gateway and encrypts all Power BI data source credentials using the new recovery key.
After you've created the new key, the app shows that there's now a secondary or legacy recovery key. The gateway maintains both keys on the machine where it's installed, so connections that use the legacy recovery key don't fail. If you want to delete the legacy key, go to Delete the legacy recovery key.
If you have a gateway cluster with more than one member, perform an uninstall and recovery for each gateway member. The recovery process will ask for both the old and the new key.
If you use the gateway with services other than Power BI, edit each connection to trigger encryption with the new key.
Delete the legacy recovery key
After you've created a new recovery key, you can delete the legacy recovery key. Before deleting the legacy key, make sure all connections using the gateway have had their credentials encrypted with the new key.
Open the on-premises data gateway app and sign in. If you have multiple gateway members in a cluster, you must sign into the primary member.
On the Recovery Keys tab, select Delete legacy recovery key.