Field-level data encryption

 

Updated: November 29, 2016

Applies To: Dynamics 365 (online), Dynamics 365 (on-premises), Dynamics CRM 2016, Dynamics CRM Online

Microsoft Dynamics 365 uses standard Microsoft SQL Server cell level encryption for a set of default entity attributes that contain sensitive information, such as user names and email passwords. This feature can help organizations meet the compliance requirements associated with FIPS 140-2. Field-level data encryption is especially important in scenarios that leverage the Microsoft Dynamics CRM Email Router, which must store user names and passwords to enable integration between a Dynamics 365 instance and an email service such as Microsoft Exchange.

 Microsoft Dynamics 365 users who have the system administrator security role can activate data encryption (or change the encryption key after data encryption is enabled) in the Settings > Data Management > Data Encryption area. After data encryption is activated, it cannot be turned off.

System_CAPS_importantImportant

For both Microsoft Dynamics 365 (online & on-premises), all new and upgraded organizations have data encryption activated.

When considering the use of data encryption, be sure to keep in mind the following key points:

  • To help ensure the highest level of security, we recommend that you change the encryption key immediately after creating or updating an organization, and thereafter about once a year.

  • Changing the encryption key requires that TLS/SSL be configured on the Microsoft Dynamics 365 website.

  • Auditing cannot be enabled on encrypted fields.

  • Encrypted fields cannot be customized.

  • Encrypted fields cannot be indexed.

  • Encrypted fields can be set and updated by using standard Create, Update, and Delete methods.

  • When doing a retrieve of an encrypted field’s value, a null is returned.

The encryption key is required to activate data encryption when you import an organization database into a new deployment or into a deployment that has had the configuration database (MSCRM_CONFIG) recreated after the organization was encrypted. You can copy the original encryption key to Notepad and then paste it into the Settings > Data Management > Data Encryption dialog box after the organization import is completed. When activating data encryption after redeployment, we recommend that you use Internet Explorer to paste the encryption key into the Data Encryption dialog box.

The entity attributes that are configured for field-level data encryption are listed in the following table.

Entity

Attribute

EmailServerProfile

IncomingPassword

EmailServerProfile

OutgoingPassword

Mailbox

Password

Queue

EmailPassword

UserSettings

EmailPassword

The messages that can be used for field-level data encryption are listed in the following table.

Request class name

More information

IsDataEncryptionActiveRequest

Checks if data encryption is currently running (active or inactive).

RetrieveDataEncryptionKeyRequest

Retrieves the data encryption key value.

SetDataEncryptionKeyRequest

Sets or restores the data encryption key. To prevent accidentally running multiple change requests in parallel, this SDK message will be throttled so that only one request can run at a time.

System_CAPS_noteNote

You must use TLS/SSL when you use these messages. When you execute these messages, a check will ensure that the user’s client/server connectivity is using the HTTPS protocol. If not, an exception is returned if the requests are submitted without using HTTPS.

Microsoft Dynamics 365

© 2016 Microsoft. All rights reserved. Copyright

Show: