Blog

SCOM 2007: How to backup your encryption key

This blog post is part of a series how to backup your SCOM environment.

You can find the other parts here:

 

One of the key factors in a successful restore of your environment is the SCOM encryption key.

Purpose of the key

This encryption key is used to store the data in the Operations manager dbase. It’s ensuring that the data in the dbase remains confidential and encrypted. The RMS uses this keep to read and write data to the Operations Manager dbase.

Implications of you don’t have the key at hand when restoring a Management group

Pretty severe actually. If you don’t have the key you can’t establish connection from your fresh RMS to your existing Operations Manager dbase and therefore you loose all your settings, customizations and have to start all over again.

Please note that’s it’s a best practice to take this backup once after installation of the environment and after ANY changes to the RunAs accounts in the environment.

So how do you back this key up in case Murphy pays you a visit

There are actually 2 ways: GUI or command line

GUI

Log on to your RMS with an account with admin privileges

Open an elevated command prompt and navigate to your Operations manager install folder. In this case I kept it at default so c:\program files\system center operation manager 2007\

scom_backup_encryption0000Run securestoragebackup.exe

scom_backup_encryption0007

Note: Securestoragebackup.exe is only installed if you have installed a console on your RMS. If not you need to copy the securestoragebackup.exe file from the SupportTools folder from the installation media

The Encryption Key Backup or Restore Wizard pops up:scom_backup_encryption0001

Click continue and select Backup the Encryption key.

scom_backup_encryption0002

A dialog box will appear to save your bin file. Best practice is to not save the file on the RMS. This makes perfect sense because you’ll need the file when there’s an issue with your RMS so there’s a big chance you can not reach the file.

I always save it on my file server and keep an extra copy somewhere else just to be save. As soon as you have exported the key you can make a copy of the bin file and store it twice on different locations.

scom_backup_encryption0003

So the location is set let’s continue.

scom_backup_encryption0004

Fill in a password to secure the backup bin file. Make sure you remember the password in X amount of time when you’ll need it to restore the key.

scom_backup_encryption0005

It will take no more than a few seconds to backup the key and if all goes well a nice complete message appear.

scom_backup_encryption0006

 

Via Command line:

Log on to your RMS with an account with admin privileges

Open an elevated command prompt and navigate to your Operations manager install folder. In this case I kept it at default so c:\program files\system center operation manager 2007\

scom_backup_encryption0000

scom_backup_encryption0007Run securestoragebackup.exe /? to get the syntax of the command.

The command used: securestoragebackup backup <filename>

scom_backup_encryption0008

You need to supply the password twice

scom_backup_encryption0011

and the second time

scom_backup_encryption0012

And the key was successfully backed up.

Downside is you cannot automate this process without further scripting because you need to put in a password. Would be nice that it would be an option in the exe to give your password as a parameter but maybe in another release Smile

Go back to the blog

Enough talk, let’s build
Something together.

Reach out now