Why does Reporting Services fail to import an existing encryption key during a service account change?

I've changed the service account for SQL Server 2005 Reporting Services a number of times now, but yesterday was the first time I'd run into the dreaded 'The report server cannot decrypt the symmetric key used to access...' error.

The environment is SQL Server 2005 Enterprise edition installed as a named instance on a box that also has SQL Server 2000 Standard edition as the default. Everything's 32-bit.

As BOL recommends I always use the Reporting Services Configuration Manager in order to make the change, and have never had to restore an encryption key.

However, this most recent time (it would have to be in production, wouldn't it?), the service account change failed to import the existing encryption key; from the ReportServerService log file:

ReportingServicesService!crypto!b!5/19/2009-17:20:37:: i INFO: Initializing crypto as user: \ ReportingServicesService!crypto!b!5/19/2009-17:20:37:: i INFO: Exporting public key ReportingServicesService!crypto!b!5/19/2009-17:20:37:: i INFO: Performing sku validation ReportingServicesService!crypto!b!5/19/2009-17:20:37:: i INFO: Importing existing encryption key ReportingServicesService!library!b!5/19/2009-17:20:37:: e ERROR: Throwing Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException: The report server cannot decrypt the symmetric key used to access sensitive or encrypted data in a report server database. You must either restore a backup key or delete all encrypted content. Check the documentation for more information., ; Info: Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException: The report server cannot decrypt the symmetric key used to access sensitive or encrypted data in a report server database. You must either restore a backup key or delete all encrypted content. Check the documentation for more information. ---> System.Runtime.InteropServices.COMException (0x80090005): Bad Data. (Exception from HRESULT: 0x80090005) at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)

at RSManagedCrypto.RSCrypto.ImportSymmetricKey(Byte[] symKeyBlob) at Microsoft.ReportingServices.Library.ConnectionManager.GetEncryptionKey() --- End of inner exception stack trace ---

Now, I'm a good little DBA and I had a backup of the previous encryption key available, so I was able to recover from the issue quickly, but, what I want to know is, why did it happen? This article from MS suggests that it may happen, but I don't like the suggestion that it's a completely random occurrence. I had read, and now sadly cannot find the link, a suggestion that this occurs regularly when you change the service account for Reporting Services by other means than RS Configuration Manager, such as the SQL Server Configuration Manager or Windows Services.

So, I have 2 questions:

1. Why would this happen if I was using the RS Configuration Manager, as recommended? (But it worked it test, he exclaims!)
2. Should I be unsettled that my current encryption key is not based on the machine/current service account as it normally is, but rather on the previous service account?

1. When you are using a different service account the key should fail

The Report Server service uses the symmetric key to access the encrypted data in a report server database. This symmetric key is encrypted by using an asymmetric public key that corresponds to the computer and the user account that is used to run the Report Server service. When you change the user account that is used to run the Report Server service, the report server cannot use the asymmetric public key to decrypt the symmetric key. Therefore, the Report Server service cannot use the symmetric key to access the data from the report server database

2 . I would just create a new key backup with your current configuration