Data encryption in Dynamics CRM 2013

Microsoft Dynamics CRM 2013 uses standard SQL Server cell level encryption for a set of default entity attributes that contain sensitive information, such as user names and email passwords. This feature can help organizations meet FIPS 140-2 compliance.

For Microsoft Dynamics CRM Online, all new and upgraded organizations use data encryption.

For on-premises versions of Microsoft Dynamics CRM 2013, data encryption is not active by default for new or upgraded organizations. However, data encryption may be activated at any time.

Microsoft Dynamics CRM users who have the system administrator security role can activate data encryption or change the encryption key after data encryption is enabled in the Settings -> Data Management -> Data Encryption area. After you activate data encryption, you cannot turn it off.



Important: For on-premises versions of Microsoft Dynamics CRM:

  • Changing the encryption key requires SSL configured on the Microsoft Dynamics CRM website.
  • It is a best practice is to change the encryption key once every year.
  • The encryption key is required to activate data encryption when you import an organization database into a new deployment or a deployment that has had the configuration database (MSCRM_CONFIG) re-created after the organization was encrypted. You can copy the original encryption key to Notepad and paste it into the Settings -> Data Management -> Data Encryption dialog box after the organization import is completed.
  • When you re-enter the data encryption key, we recommend that you run the Microsoft Dynamics CRM web application using Internet Explorer to paste the encryption key into the Data Encryption dialog box.

Copy your organization data encryption key:

We strongly recommend that you make a copy of your data encryption key. This is particularly important for on-premises deployments that may need to reactivate data encryption after a redeployment or failure recovery.

Copy an organization data encryption key:

  1. Sign in to Microsoft Dynamics CRM as a user with the system administrator security role.
  2. Go to Settings -> Data Management -> Data Encryption.
  3. In the Data Encryption dialog box, select Show Encryption Key, in the Current encryption key box select the encryption key, and copy it to the clipboard.

Note: If the Microsoft Dynamics CRM website is not configured for HTTPS/SSL, the Data Encryption dialog box will not be displayed. For a more secure deployment, we recommend that you configure the website for HTTPS/SSL. However, if the website is not configured for HTTP/SSL, use a tool that can be used to modify CRM database tables, such as Microsoft SQL Server Management Studio or the Deployment Web Service, open the configuration database (MSCRM_CONFIG), and in the DeploymentProperties table, set DisableSSLCheckForEncryption to 1.

  1. Paste the encryption key in to a text editor, such as Notepad.
  2. As a best practice, save the text file that contains the encryption key on a computer in a secure location on an encrypted hard drive.

3 thoughts on “Data encryption in Dynamics CRM 2013

  1. hi,my data Encryption status is inactive and current encryption key is null. i want to know what is the active encryption key ?
    Can i key anything ?

    please help me. U can contact me at

  2. Just wanted to leave this here in case anyone else runs into it.

    If you have a backup of your MSCRM_CONFIG database, you can retrieve the Encryption Key. Just run the following query:

    SELECT ColumnName, VarBinaryColumn FROM OrganizationProperties
    WHERE Id IN (SELECT Id FROM Organization WHERE UniqueName = ”)
    AND (ColumnName = ‘SymmetricKeyPassword’ OR ColumnName = ‘SymmetricKeySource’)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s