Field-level data encryption
Dynamics 365 for Customer Engagement uses standard SQL Server cell level encryption for a set of default entity attributes that contain sensitive information, such as user names and email passwords. This feature can help organizations meet the compliance requirements associated with FIPS 140-2. Field-level data encryption is especially important in scenarios that leverage the Microsoft Dynamics CRM Email Router, which must store user names and passwords to enable integration between a Customer Engagement instance and an email service such as Microsoft Exchange.
Dynamics 365 Customer Engagement (on-premises) users who have the system administrator security role can activate data encryption (or change the encryption key after data encryption is enabled) in the Settings > Data Management > Data Encryption area. After data encryption is activated, it cannot be turned off.
Important
For both Dynamics 365 for Customer Engagement, all new and upgraded organizations have data encryption activated.
When considering the use of data encryption, be sure to keep in mind the following key points:
- To help ensure the highest level of security, we recommend that you change the encryption key immediately after creating or updating an organization, and thereafter about once a year.
- Changing the encryption key requires that TLS/SSL be configured on the Dynamics 365 Customer Engagement (on-premises) website.
- Auditing cannot be enabled on encrypted fields.
- Encrypted fields cannot be customized.
- Encrypted fields cannot be indexed.
- Encrypted fields can be set and updated by using standard Create, Update, and Delete methods.
- When doing a retrieve of an encrypted field’s value, a null is returned.
The encryption key is required to activate data encryption when you import an organization database into a new deployment or into a deployment that has had the configuration database (MSCRM_CONFIG) recreated after the organization was encrypted. You can copy the original encryption key to Notepad and then paste it into the Settings > Data Management > Data Encryption dialog box after the organization import is completed. When activating data encryption after redeployment, we recommend that you use Internet Explorer to paste the encryption key into the Data Encryption dialog box.
Encrypted attributes
The entity attributes that are configured for field-level data encryption are listed in the following table.
| Entity | Attribute |
|---|---|
| EmailServerProfile | IncomingPassword |
| EmailServerProfile | OutgoingPassword |
| Mailbox | Password |
| Queue | EmailPassword |
| UserSettings | EmailPassword |
Messages
The messages that can be used for field-level data encryption are listed in the following table.
| Request class name | More information |
|---|---|
| IsDataEncryptionActiveRequest | Checks if data encryption is currently running (active or inactive). |
| RetrieveDataEncryptionKeyRequest | Retrieves the data encryption key value. |
| SetDataEncryptionKeyRequest | Sets or restores the data encryption key. To prevent accidentally running multiple change requests in parallel, this SDK message will be throttled so that only one request can run at a time. |
Note
You must use TLS/SSL when you use these messages. When you execute these messages, a check will ensure that the user’s client/server connectivity is using the HTTPS protocol. If not, an exception is returned if the requests are submitted without using HTTPS.
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for