Where is my ecryption key gone?

As I stressed out in one of my previous posts and my book, it is an absolute must that you back up the RS encryption key as one of the first steps after you install RS and lock it up in a safe place. You can back up the encryption key this by using the rskeymgmt utility as follows:


rskeymgmt -e -f <filename> -p <password>


Trust me on this–sooner or later you will need that key. One situation when you will definately need it is after resetting the ASP.NET account either by explicitly invoking aspnet_regiis.exe or when installing a new version of the .NET framework. For example, recently I installed .NET Framework Beta 2 which effectively reset the ASP.NET account. This caused RS to invalidate the encryption key. As a result, when navigating to the Report Manager, I got the dreaded error:


“The report server cannot decrypt the symmetric key used to access sensitive or encrypted data in a report server database. You must either restore a backup key or delete all encrypted content and then restart the service.”


Panic will not help resolve this issue, but a copy of the encryption key will definetely help. Here are the steps to reset the encryption key if the ASP.NET account is reset:



  1. Recall where you saved the RS key. If you haven’t saved it or you can’t recall, try to extract the key by issuing
    rskeymgmt -e -f <filename> -p <password>

  2. Open the RSReportServer.config file and copy the installation ID GUID from the InstallationID node. The InstallationID node looks like this:
    <InstallationID>{7d8664d4-3bae-496b-b607-fbb5d0879c7c}</InstallationID>

  3. Delete the references to the old RS encyption key:
    rskeymgmt -r <installation id>

  4. Restart IIS and the Report Server windows service.

  5. Reapply the encryption key:
    rskeymgmt -a -f <filename from step 1> -p <password>

This should fix the error and you should be able to navigate to the Report Manager without any issues.


If you don’t have a backup copy of the key and you cannot extract it with rskeymgmt -e, than the only option is to delete the ecrypted content by issuing rskeymgmt -d


The net effect of this is that you will need to reenter the credentials of all data sources that use standard security because the credentials are stored in encrypted format.