Changing the RMS Private Key

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

During provisioning, RMS creates the RMS private key for the server. The RMS private key is encrypted and stored in the configuration database. It is recommended that you back up and store the private key in a secure location. In addition, consider using a hardware security module to secure the RMS private key because this key is used in the encryption schema for all the content protected by the RMS server. If the RMS private key is compromised, you need to unprovision RMS on the server and then provision RMS again to get a new RMS private key.


The strength of the RMS private key is determined by the RMS private key password that was entered when RMS was provisioned. Make sure to choose a strong private key password.

If the server was used to protect content, all content owners should be notified and content should be re-published with the new private key. Any copies of content protected by using the compromised private key should be destroyed, as they cannot be considered to have adequate protection.


Regardless of whether the root cluster has been enrolled with the Microsoft Enrollment Service, the cluster must repeat the provisioning process to get a new private key. If you just try to re-enroll an RMS server, the same RMS private key will be used.