You will have to agree that managing so many encryption keys for SQL Server could be a tedious job. With Azure Storage Value, storing and distributing keys is even more accessible, and one of the use-cases that I will discuss is exporting SSRS key to Azure Key Vault.
The Azure Key Vault provides you a complete end-to-end solution to encrypt and store keys and small client-secrets like passwords that use keys stored in HSM’s (hardware security modules).
Since this is provided as a service by Microsoft on Azure, you do not need to install or provision it. However, let us get back to the topic of discussion.
For SSRS, it does not matter if you have a single server or a scale-out deployment. You only need to back up one copy of the symmetric key. There is a one-to-one correspondence between a report server database and a symmetric key. Although you need to back up one copy, you might need to restore the encryption-key multiple times if you are running numerous report servers in a scale-out deployment model. Each report server instance will need its copy of the symmetric key to lock and unlock data in the report server database.
Once the Storage Key is exported using either ‘rskeymgmt’ utility or SSRS config manager, you can manually import the key and store it in the Key Vault. See the screenshot below:
You will need to export the encryption key locally first by using commands such as below:
rskeymgmt.exe -e -f c:toolsSSRS2017_key -p BackupKeyLocal -i SQL2017
It is always a great idea to backup your encryption keys from time to time, even if you are using a secure source systems externally. Questions or suggestions are welcome in the comment section below.
Comments are closed.