---
title: "Store Encrypted Report Server Data (Configuration Manager) | Microsoft Docs"
ms.date: 10/24/2019
ms.prod: reporting-services
ms.prod_service: "reporting-services-native"

ms.topic: conceptual
helpviewer_keywords: 
  - "report servers [Reporting Services], encryption"
  - "credentials [Reporting Services]"
  - "cryptography [Reporting Services]"
  - "confidential reports [Reporting Services]"
  - "encryption [Reporting Services]"
  - "databases [Reporting Services], encryption"
ms.assetid: ac0f4d4d-fc4b-4c62-a693-b86e712e75f2
author: maggiesMSFT
ms.author: maggies
---
# SSRS Encryption Keys - Store Encrypted Report Server Data
  [!INCLUDE[ssRSnoversion](../../includes/ssrsnoversion-md.md)] stores encrypted values in the report server database and in configuration files. Most encrypted values are credentials that are used for accessing external data sources that provide data to reports. This topic describes which values are encrypted, the encryption functionality used in [!INCLUDE[ssRSnoversion](../../includes/ssrsnoversion-md.md)], and other kinds of stored confidential data that you should know about.  
  
## Encrypted Values  
 The following list describes the values that are stored in a [!INCLUDE[ssRSnoversion](../../includes/ssrsnoversion-md.md)] installation.  
  
-   Connection information and credentials used by a report server to connect to a report server database that stores internal server data.  
  
     These values are specified and encrypted during setup or report server configuration. You can update the connection information at any time using the Reporting Services Configuration tool or the **rsconfig** utility. Encryption of configuration settings is performed by using the machine-level key of the local computer that is available to all users. Encrypted report server connection information is stored in the rsreportserver.config file (no other configuration file contains encrypted settings). For more information, see [Configure a Report Server Database Connection  &#40;SSRS Configuration Manager&#41;](../../reporting-services/install-windows/configure-a-report-server-database-connection-ssrs-configuration-manager.md).  
  
-   Stored credentials that are used by a report server to connect to external data sources that provide data to a report.  
  
     These values are defined when you configure data source information for a report, and then stored as encrypted values in a report server database. The report server uses a symmetric key to encrypt and decrypt this data. For more information about stored credentials, see [Specify Credential and Connection Information for Report Data Sources](../../reporting-services/report-data/specify-credential-and-connection-information-for-report-data-sources.md).  
  
-   An unattended user account used by the report server to connect to other computers to retrieve external images files or external data that is used in a report.  
  
     This account is used when a connection to a remote computer is required and no other credentials are available to make the connection. This account is primarily used to support unattended report processing for reports that do not use credentials to access a data source. If you create reports based on data sources that do not require or use credentials when accessing data, you must configure this account for the report server to use.  
  
     This account is required under certain circumstances and can only be created through the Reporting Services Configuration tool or **rsconfig**. This value is also stored in the rsreportserver.config file. You must create this account manually. For more information about this account and how it is used, see [Configure the Unattended Execution Account &#40;SSRS Configuration Manager&#41;](../../reporting-services/install-windows/configure-the-unattended-execution-account-ssrs-configuration-manager.md).  
  
-   The symmetric key used for encryption.  
  
     This value is created during setup or server configuration, and then stored as an encrypted value in the report server database. The Report Server Windows service uses this key to encrypt and decrypt data that is stored in the report server database.  
  
## Encryption Functionality in Reporting Services  
 [!INCLUDE[ssRSnoversion](../../includes/ssrsnoversion-md.md)] uses cryptographic functions that are part of the Windows operating system. Both symmetric and asymmetric encryption are used.  
  
 Data in the report server database is encrypted using a symmetric key. There is a single symmetric key for each report server database. This symmetric key is itself encrypted using the public key of an asymmetric key pair generated by Windows. The private key is held by the Report Server Windows service account.  
  
 In a report server scale-out deployment where multiple report server instances share the same report server database, a single symmetric key is used by all report server nodes. Each node must have a copy of the shared symmetric key. A copy of the symmetric key is created for each node automatically when the scale-out deployment is configured. Each node encrypts its copy of the symmetric key using the public key of a key pair specific to its Windows service account. To learn more about how the symmetric key is created for both single instance and scale-out deployments, see [Initialize a Report Server &#40;SSRS Configuration Manager&#41;](../../reporting-services/install-windows/ssrs-encryption-keys-initialize-a-report-server.md).  
 
 Also, starting in 2019, the report server database can be configured with Transparent Data Encryption in SQL Server to provide additional protection for your data at rest.
  
> [!NOTE]  
>  When you change the Report Server Windows service account, the asymmetric keys can become invalid, which will disrupt server operations. To avoid this problem, always use the Reporting Services Configuration tool to modify service account settings. When you use the configuration tool, the keys are updated for you automatically. For more information, see [Configure the Report Server Service Account &#40;SSRS Configuration Manager&#41;](../../reporting-services/install-windows/configure-the-report-server-service-account-ssrs-configuration-manager.md).  
  
## Other Sources of Confidential Data  
 A report server stores other data that is not encrypted, yet may contain sensitive information that you want to protect. Specifically, report history snapshots and report execution snapshots contain query results that may include data that is intended for authorized users. If you are using snapshot functionality for reports that contain confidential data, be aware that users who can open tables in a report server database may be able to view portions of a stored report by inspecting the contents of the table.  
  
> [!NOTE]  
>  [!INCLUDE[ssRSnoversion](../../includes/ssrsnoversion-md.md)] does not support caching or report history for reports that use parameters based on the security identify of the user.  
  
## See Also  
 [Configure and Manage Encryption Keys &#40;SSRS Configuration Manager&#41;](../../reporting-services/install-windows/ssrs-encryption-keys-manage-encryption-keys.md)