Encryption Keys (Reporting Services Configuration)

Use the Encryption Keys page to manage the symmetric key that is used to encrypt and decrypt data in a report server. Managing the encryption keys is an important part of report server configuration. Although the symmetric key is created and applied automatically when you create the report server database, you must create a backup copy of the symmetric key so that you can perform routine maintenance operations. The following maintenance tasks require that you have a valid copy of the symmetric key:

  • Changing the service account for the Report Server service.

  • Migrating a Reporting Services installation to a different computer.

  • Configuring a new report server instance to share or use an existing report server database.

Restoring the symmetric key is necessary if you updated the user account of the Report Server service (and you used a tool other than the Reporting Services Configuration tool to change the account), or if you are migrating a report server installation to a new server.

To protect the symmetric key from unauthorized access, the symmetric key is encrypted using the private key of the Report Server service. Only the Report Server service is able to unlock and use the symmetric key for the purpose of storing sensitive data in the report server database. If you change the identity of the Report Server service, or if you migrate the report server to a new computer, the private key of the Report Server service will no longer be able to unlock the symmetric key. To restore access to the symmetric key, the symmetric key must be re-encrypted using the private key of the new Report Server service identity. Restoring the symmetric key is the process by which the re-encryption occurs.

You should restore a symmetric key only if it is the same key that is currently used to encrypt and decrypt data in the report server database. If you restore a symmetric key that is not valid, you will no longer be able to access sensitive data. In this case, you must delete and re-create the key.


Deleting and recreating the symmetric key is a non-reversible action that can have important ramifications on your current installation. If you delete the key, any existing data that is encrypted by the symmetric key will be deleted along with the key. Deleted data includes connection strings to external report data sources, stored connection strings, and some subscription information.

To open this page, start the Reporting Services Configuration tool and select the link in the navigation pane. For more information, see How to: Start Reporting Services Configuration Manager.


  • Backup
    Copies the symmetric key to a file that you specify. The symmetric key is never stored in plain text. You must type a password to protect the file.

  • Restore
    Applies a previously saved copy of the symmetric key to the report server database. You must provide the password to unlock the file.

    The previous copy of the symmetric key for the report server instance you are currently connected to is overwritten by the restored version. After you restore the symmetric key, you must initialize all the report servers that use the report server database. For more information about initializing report servers, see Initializing a Report Server.

  • Change
    Recreates the symmetric key and re-encrypts all encrypted values in the report server database. Be sure to stop the Report Server service before recreating the symmetric key.

    In a scale-out deployment, all copies of the symmetric key are replaced with newer versions. Before changing the symmetric key, be sure to review the list of servers that are joined to the scale-out deployment to verify that only valid report server instances are given access to the new key. The servers that are part of a scale-out deployment are listed in the Scale-out Deployment page. Stop the service on each report server in the deployment before recreating the key.

    Note that regenerating the symmetric key can be a long-running process if you have many data sources and subscriptions.

  • Delete
    Deletes the symmetric key and all encrypted content, including connection strings and stored credentials. You should only delete the symmetric key if you cannot restore it.

    Once you delete the symmetric key, you must re-enter the missing connection strings and stored credentials in the reports and shared data sources that no longer have these values. You must also update all subscriptions that use delivery extensions that store encrypted data. This includes the file share delivery extension and any third-party delivery extension that use encrypted value.

    There is no automated way to update this information. Each report, subscription, and shared data source that uses stored credentials and connection strings must be updated one at a time.