Storing Encrypted Report Server Data
Note For SQL Server 2008 R2, there have been no changes to the content that is listed in this topic.
Reporting Services stores encrypted values in the report server database and in configuration files. Most encrypted values are credentials that are used for accessing external data sources that provide data to reports. This topic describes which values are encrypted, the encryption functionality used in Reporting Services, and other kinds of stored confidential data that you should know about.
The following list describes the values that are stored in a Reporting Services installation.
Connection information and credentials used by a report server to connect to a report server database that stores internal server data.
These values are specified and encrypted during setup or report server configuration. You can update the connection information at any time using the Reporting Services Configuration tool or the rsconfig utility. Encryption of configuration settings is performed by using the machine-level key of the local computer that is available to all users. Encrypted report server connection information is stored in the rsreportserver.config file (no other configuration file contains encrypted settings). For more information, see Configuring a Report Server Database Connection.
Stored credentials that are used by a report server to connect to external data sources that provide data to a report.
These values are defined when you configure data source information for a report, and then stored as encrypted values in a report server database. The report server uses a symmetric key to encrypt and decrypt this data. For more information about stored credentials, see Planning for Services, Accounts, and Connections and Specifying Credential and Connection Information for Report Data Sources (SSRS) in SQL Server Books Online.
An unattended user account used by the report server to connect to other computers to retrieve external images files or external data that is used in a report.
This account is used when a connection to a remote computer is required and no other credentials are available to make the connection. This account is primarily used to support unattended report processing for reports that do not use credentials to access a data source. If you create reports based on data sources that do not require or use credentials when accessing data, you must configure this account for the report server to use.
This account is required under certain circumstances and can only be created through the Reporting Services Configuration tool or rsconfig. This value is also stored in the rsreportserver.config file. You must create this account manually. For more information about this account and how it is used, see Configuring the Unattended Execution Account.
The symmetric key used for encryption.
This value is created during setup or server configuration, and then stored as an encrypted value in the report server database. The Report Server Windows service uses this key to encrypt and decrypt data that is stored in the report server database.
Encryption Functionality in Reporting Services
Reporting Services uses cryptographic functions that are part of the Windows operating system. Both symmetric and asymmetric encryption are used.
Data in the report server database is encrypted using a symmetric key. There is a single symmetric key for each report server database. This symmetric key is itself encrypted using the public key of an asymmetric key pair generated by Windows. The private key is held by the Report Server Windows service account.
In a report server scale-out deployment where multiple report server instances share the same report server database, a single symmetric key is used by all report server nodes. Each node must have a copy of the shared symmetric key. A copy of the symmetric key is created for each node automatically when the scale-out deployment is configured. Each node encrypts its copy of the symmetric key using the public key of a key pair specific to its Windows service account. To learn more about how the symmetric key is created for both single instance and scale-out deployments, see Initializing a Report Server.
When you change the Report Server Windows service account, the asymmetric keys can become invalid, which will disrupt server operations. To avoid this problem, always use the Reporting Services Configuration tool to modify service account settings. When you use the configuration tool, the keys are updated for you automatically. For more information, see Configuring the Report Server Service Account.
Other Sources of Confidential Data
A report server stores other data that is not encrypted, yet may contain sensitive information that you want to protect. Specifically, report history snapshots and report execution snapshots contain query results that may include data that is intended for authorized users. If you are using snapshot functionality for reports that contain confidential data, be aware that users who can open tables in a report server database may be able to view portions of a stored report by inspecting the contents of the table.
Reporting Services does not support caching or report history for reports that use parameters based on the security identify of the user.