Social Enterprise

Back up the System Center Operations Manager 2007 R2 RMS encryption key

For System Center Operations Manager 2007 R2 environments, protecting the encryption key is a critical task. Rick Vanover shows how to perform this step.

For Microsoft System Center Operations Manager (SCOM) 2007 R2 environments, the root management server (RMS) encryption key is a critical piece of the configuration. The encryption key is important because all of the RunAs configuration for the RMS is stored in this key, so don't just put this file on a USB flash key and leave it on your desk. During the installation, there is a wizard to back up the encryption key, but if that step is skipped at installation, the key still needs to be backed up. The capability is available to back up the RMS key starting with SCOM 2007 Service Pack 1.

To back up this file, you should use the Encryption Key Backup Or Restore wizard. Even though you may not use this tool on a frequent basis, it may be a good idea to create a shortcut to the wizard. If you do create a shortcut, be sure to "Run as Administrator" if Windows user access control is in place. If the tool will be launched from the command line, be sure to also have the command prompt launch as an administrator; otherwise, the registry access will not complete successfully within the wizard.

The tool to manage the encryption key is located at C:\Program Files\System Center Operations Manager 2007\SecureStorageBackup.exe for a default installation of SCOM 2007 R2. It's a straightforward process to launch the wizard and will appear as shown in Figure A. Figure A

Click the image to enlarge.

The wizard will recommend that the backup be placed on a remote drive, not on the local file system. This is good advice, so make sure this encryption key is treated like any other critical key in your environment. This can mean it is put in escrow or checked into a revision-controlled tool, such as SharePoint.

To back up the file, create a file name with the extension .BIN. I recommend making the file self-documenting, as it is encrypted material, and it may not be easy to determine what it is. In my lab configuration, I named the exported file FA2.RWVDEV.INTRA-EncryptionKey.bin. This includes the fully qualified domain name of the RMS server as well as what it is, and is placed on a remote drive. Figure B shows this step of the wizard. Figure B

Click the image to enlarge.

The last step is to provide a password to authorize the backup and restore task. This is a password outside of the RunAs configuration or Windows permissions in place already. Now the file is backed up outside of the SCOM RMS environment.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

3 comments
OH Smeg
OH Smeg

If you do not backup the Encryption Key when you try to recover from the Backup onto different Hardware or a reloaded OS you will be unable to access your Data. It will effectively be lost unless you are willing to spend lots of money to recover it by paying a Specialist Data Recovery Company to break the Encryption. Col

priyo123
priyo123

I don't know how this backup will benefit us from working. is anyone will benefit from stealing this key?

b4real
b4real

But I don't know the answer to it. I would protect it as if there would be risk if someone stole it.

Editor's Picks