儲存加密的報表伺服器資料 (SSRS 組態管理員)Store Encrypted Report Server Data (SSRS Configuration Manager)

Reporting ServicesReporting Services 會在報表伺服器資料庫和組態檔中儲存加密值。stores encrypted values in the report server database and in configuration files. 大部份加密值是用於存取將資料提供給報表之外部資料來源的認證。Most encrypted values are credentials that are used for accessing external data sources that provide data to reports. 本主題將描述哪些值會進行加密、 Reporting ServicesReporting Services中所使用的加密功能,以及您應該知道的其他預存機密資料類型。This topic describes which values are encrypted, the encryption functionality used in Reporting ServicesReporting Services, and other kinds of stored confidential data that you should know about.

加密值Encrypted Values

下列清單將描述儲存在 Reporting ServicesReporting Services 安裝中的值。The following list describes the values that are stored in a Reporting ServicesReporting Services installation.

  • 連接資訊和認證 - 可供報表伺服器連接到儲存內部伺服器資料的報表伺服器資料庫。Connection information and credentials used by a report server to connect to a report server database that stores internal server data.

    這些值是在安裝或報表伺服器組態過程中指定與加密。These values are specified and encrypted during setup or report server configuration. 您可以隨時使用 Reporting Services 組態工具或 rsconfig 公用程式,來更新連接資訊。You can update the connection information at any time using the Reporting Services Configuration tool or the rsconfig utility. 組態設定的加密,是以所有使用者都能使用之本機電腦的電腦層級金鑰執行。Encryption of configuration settings is performed by using the machine-level key of the local computer that is available to all users. 加密的報表伺服器連接資訊,會儲存在 rsreportserver.config 檔案中 (其他組態檔並未包含加密的設定)。Encrypted report server connection information is stored in the rsreportserver.config file (no other configuration file contains encrypted settings). 如需詳細資訊,請參閱 設定報表伺服器資料庫連接 (SSRS 組態管理員)主題中受支援的版本。For more information, see Configure a Report Server Database Connection (SSRS Configuration Manager).

  • 預存認證 - 可供報表伺服器連接到將資料提供給報表的外部資料來源。Stored credentials that are used by a report server to connect to external data sources that provide data to a report.

    這些值是在您設定報表資料來源資訊時所定義的,然後以加密值的形式儲存在報表伺服器資料庫中。These values are defined when you configure data source information for a report, and then stored as encrypted values in a report server database. 報表伺服器會使用對稱金鑰,將此資料加密與解密。The report server uses a symmetric key to encrypt and decrypt this data. 如需預存認證的詳細資訊,請參閱《 線上叢書》中的 指定報表資料來源的認證和連接資訊 [SQL Server]SQL ServerFor more information about stored credentials, see Specify Credential and Connection Information for Report Data Sources in [SQL Server]SQL Server Books Online.

  • 自動使用者帳戶 - 可供報表伺服器連接到其他電腦,以擷取報表中使用的外部影像檔或外部資料。An unattended user account used by the report server to connect to other computers to retrieve external images files or external data that is used in a report.

    當需要連接到遠端電腦,且無其他認證可用來進行該連接時,則必須使用此帳戶。This account is used when a connection to a remote computer is required and no other credentials are available to make the connection. 此帳戶主要用來支援不使用認證存取資料來源之報表的自動執行報表處理。This account is primarily used to support unattended report processing for reports that do not use credentials to access a data source. 如果您是根據存取資料時不需要或不使用認證的資料來源建立報表,您必須將此帳戶設定為可供報表伺服器使用。If you create reports based on data sources that do not require or use credentials when accessing data, you must configure this account for the report server to use.

    此帳戶在某些情況下需要,而且只能透過 Reporting Services 組態工具或 rsconfig建立。This account is required under certain circumstances and can only be created through the Reporting Services Configuration tool or rsconfig. 此值也儲存在 rsreportserver.config 檔案中。This value is also stored in the rsreportserver.config file. 您必須手動建立此帳戶。You must create this account manually. 如需此帳戶和其使用方式的詳細資訊,請參閱設定自動執行帳戶 (SSRS 設定管理員)For more information about this account and how it is used, see Configure the Unattended Execution Account (SSRS Configuration Manager).

  • 用於加密的對稱金鑰。The symmetric key used for encryption.

    此值是在安裝或伺服器組態過程中建立,然後以加密值形式儲存在報表伺服器資料庫中。This value is created during setup or server configuration, and then stored as an encrypted value in the report server database. 報表伺服器 Windows 服務會使用此金鑰,將儲存在報表伺服器資料庫中的資料加密與解密。The Report Server Windows service uses this key to encrypt and decrypt data that is stored in the report server database.

Reporting Services 中的加密功能Encryption Functionality in Reporting Services

Reporting ServicesReporting Services 會使用屬於 Windows 作業系統的加密函數。uses cryptographic functions that are part of the Windows operating system. 對稱和非對稱加密均使用。Both symmetric and asymmetric encryption are used.

報表伺服器資料庫中的資料是利用對稱金鑰來加密。Data in the report server database is encrypted using a symmetric key. 每個報表伺服器資料庫均有單一對稱金鑰。There is a single symmetric key for each report server database. 此對稱金鑰本身是利用 Windows 產生之非對稱金鑰組的公開金鑰來加密。This symmetric key is itself encrypted using the public key of an asymmetric key pair generated by Windows. 私密金鑰由報表伺服器 Windows 服務帳戶持有。The private key is held by the Report Server Windows service account.

在報表伺服器向外延展部署中,如果多個報表伺服器執行個體共用相同的報表伺服器資料庫,則所有報表伺服器節點都使用單一對稱金鑰。In a report server scale-out deployment where multiple report server instances share the same report server database, a single symmetric key is used by all report server nodes. 每個節點都必須有共用對稱金鑰的副本。Each node must have a copy of the shared symmetric key. 設定向外延展部署時,會自動為每個節點建立對稱金鑰的副本。A copy of the symmetric key is created for each node automatically when the scale-out deployment is configured. 每個節點都會利用 Windows 服務帳戶之特定金鑰組的公開金鑰來加密其對稱金鑰副本。Each node encrypts its copy of the symmetric key using the public key of a key pair specific to its Windows service account. 若要深入了解如何為單一執行個體和向外延展部署建立對稱金鑰,請參閱初始化報表伺服器 (SSRS 設定管理員)To learn more about how the symmetric key is created for both single instance and scale-out deployments, see Initialize a Report Server (SSRS Configuration Manager).

注意

當您變更報表伺服器 Windows 服務帳戶時,非對稱金鑰可能會變成無效,因而中斷伺服器作業。When you change the Report Server Windows service account, the asymmetric keys can become invalid, which will disrupt server operations. 若要避免此問題,請永遠利用 Reporting Services 組態工具來修改服務帳戶設定。To avoid this problem, always use the Reporting Services Configuration tool to modify service account settings. 當您使用組態工具時,系統會自動為您更新金鑰。When you use the configuration tool, the keys are updated for you automatically. 如需詳細資訊,請參閱《 設定報表伺服器服務帳戶 (SSRS 組態管理員)For more information, see Configure the Report Server Service Account (SSRS Configuration Manager).

其他機密資料的來源Other Sources of Confidential Data

報表伺服器會儲存其他未加密的資料,可能包含您想要保護的機密資訊。A report server stores other data that is not encrypted, yet may contain sensitive information that you want to protect. 尤其是報表記錄快照集與報表執行快照集所包含的查詢結果,可能包含要供授權使用者使用的資料。Specifically, report history snapshots and report execution snapshots contain query results that may include data that is intended for authorized users. 如果您在包含機密資料的報表使用快照集功能,請注意,可以開啟報表伺服器資料庫中之資料表的使用者,就有可能檢查資料表內容來檢視預存報表的部份。If you are using snapshot functionality for reports that contain confidential data, be aware that users who can open tables in a report server database may be able to view portions of a stored report by inspecting the contents of the table.

注意

Reporting ServicesReporting Services 不支援使用以使用者安全性識別為基礎之參數的報表的快取或報表記錄。does not support caching or report history for reports that use parameters based on the security identify of the user.

另請參閱See Also

設定和管理加密金鑰 (SSRS 組態管理員)Configure and Manage Encryption Keys (SSRS Configuration Manager)