Solved: Re: Questions about Power BI security whitepaper

pennyhoho117 · ‎02-16-2025

i checked from Power BI Security Whitepaper: Power BI security white paper - Power BI | Microsoft Learn it mentioned below:

During gateway installation and configuration, the administrator types in a gateway Recovery Key. That Recovery Key is used to generate a strong AES symmetric key. An RSA asymmetric key is also created at the same time.
Those generated keys (RSA and AES) are stored in a file located on the local machine. That file is also encrypted. The contents .......

I would like to ask: "The file is also encrypted"... what method and key used in encrypting the file(which stores RSA and AES keys)? the file would be placed only in the machine where dataway installed?

v-csrikanth · ‎02-17-2025

Hi @pennyhoho117
Thanks for using the Microsoft Fabric Community.
For your clarification please verify the below points and feel free to reach out to us if any assistance reuired.

File Encryption on the Gateway Machine:

During gateway installation, a Recovery Key is provided to generate a strong AES symmetric key.
This AES key encrypts a local configuration file that stores RSA keys and other sensitive data.
AES-256 encryption is typically used for securing files, though exact details are not publicly disclosed by Microsoft.

AES Key Generation from the Recovery Key:

The Recovery Key serves as input for the Key Derivation Function (KDF), which generates the AES key.
This AES key remains local to the gateway machine and is never transmitted to the Power BI service.

Encryption Workflow:

Step 1: The browser encrypts the entered credentials using the RSA public key.
Step 2: The gateway receives the encrypted credentials and decrypts them using the RSA private key (stored locally).
Step 3: The credentials are then re-encrypted with the AES symmetric key before being sent to Power BI Service.

Why Use Both RSA and AES:

RSA encryption is ideal for securing small, sensitive data like credentials but is computationally intensive.
AES encryption is faster and better suited for larger datasets, which is why Power BI Service stores credentials using AES encryption.

Key Transmission & Storage:

The AES key never leaves the gateway machine, ensuring the Power BI Service has no access to plaintext credentials.
Credentials are stored in AES-encrypted form in the Power BI Service, enhancing security.

If you found the above information helpful, we kindly request you to give us a Kudos and mark the response as the Accept as solution.

Thank you,
Cheri Srikanth

View solution in original post

v-csrikanth · ‎02-17-2025

Hi @pennyhoho117
Thanks for using the Microsoft Fabric Community.
For your clarification please verify the below points and feel free to reach out to us if any assistance reuired.

File Encryption on the Gateway Machine:

During gateway installation, a Recovery Key is provided to generate a strong AES symmetric key.
This AES key encrypts a local configuration file that stores RSA keys and other sensitive data.
AES-256 encryption is typically used for securing files, though exact details are not publicly disclosed by Microsoft.

AES Key Generation from the Recovery Key:

The Recovery Key serves as input for the Key Derivation Function (KDF), which generates the AES key.
This AES key remains local to the gateway machine and is never transmitted to the Power BI service.

Encryption Workflow:

Step 1: The browser encrypts the entered credentials using the RSA public key.
Step 2: The gateway receives the encrypted credentials and decrypts them using the RSA private key (stored locally).
Step 3: The credentials are then re-encrypted with the AES symmetric key before being sent to Power BI Service.

Why Use Both RSA and AES:

RSA encryption is ideal for securing small, sensitive data like credentials but is computationally intensive.
AES encryption is faster and better suited for larger datasets, which is why Power BI Service stores credentials using AES encryption.

Key Transmission & Storage:

The AES key never leaves the gateway machine, ensuring the Power BI Service has no access to plaintext credentials.
Credentials are stored in AES-encrypted form in the Power BI Service, enhancing security.

If you found the above information helpful, we kindly request you to give us a Kudos and mark the response as the Accept as solution.

Thank you,
Cheri Srikanth

pennyhoho117 · ‎02-16-2025

and it also mentioned: "The gateway decrypts the credentials using the RSA private key and re-encrypts them with an AES symmetric key before the data is stored in the Power BI service."

so the final source credentials stored in power BI service is encrypted in AES key, only the encryption in broswer would use the public RSA key, after decrption in local, would only use AES key to encrypt, but would not use public RSA key to encrypt? and the AES key wouldn't send to Power BI service right?

pennyhoho117 · ‎02-16-2025

it also mentioned: . That Recovery Key is used to generate a strong AES symmetric key.

i would like to know how use the Recovery Key to generate AES key, what is the use of the recovery key in AES key generation?

Questions about Power BI security whitepaper

Helpful resources

Fabric Data Days

Power BI Monthly Update - October 2025

FabCon Atlanta 2026

Fabric Data Days starts November 4th!

Questions about Power BI security whitepaper

Helpful resources

Fabric Data Days

Power BI Monthly Update - October 2025

FabCon Atlanta 2026