Microsoft Dynamics CRM 2013 uses standard SQL Server cell level encryption for a set of default entity attributes that contain sensitive information, such as user names and email passwords for Server-Side Sync and authentication tokens for Yammer integration capabilities. This feature can help organizations meet FIPS 140-2 compliance by ensuring that the data is encrypted “at rest” so that local database admins cannot read the data in the database tables directly. For Microsoft Dynamics CRM Online, all new and upgraded organizations use data encryption. For on-premise versions of Microsoft Dynamics CRM 2013, users who have the system administrator security role (and in the PrivUserGroup) can activate data encryption or change the encryption key after data encryption is enabled in the Settings > Data Management > Data Encryption area. After you activate data encryption, you cannot turn it off. NB: For on-premises versions of Microsoft Dynamics CRM:
Copy your organization data encryption key. It is strongly recommend that you make a copy of your data encryption key. This is particularly important for on-premise deployments that may need to reactivate data encryption after a redeployment or failure recovery.
However, if the Microsoft Dynamics CRM website is not configured for HTTPS/SSL, the Data Encryption dialog box will not be displayed. Instead, you’ll get the error noted at the right. For a more secure deployment, we recommend that you configure the website for HTTPS/SSL. As a work-around, it is possible to get at the CRM 2013 Data Encryption settings even if the website is not configured for HTTP/SSL. To do so, use a tool that can be used to modify CRM database tables, such as Microsoft SQL Server Management Studio and open the configuration database (MSCRM_CONFIG); in the DeploymentProperties table, set DisableSSLCheckForEncryption to 1. In order to set the property use the following SELECT and UPDATE statements:
<span style="color: #000000;">SELECT [ColumnName],[BitColumn] FROM [MSCRM_CONFIG].[dbo].[DeploymentProperties] WHERE ColumnName='DisableSSLCheckForEncryption' UPDATE [MSCRM_CONFIG].[dbo].[DeploymentProperties] SET [BitColumn]=1 WHERE ColumnName='DisableSSLCheckForEncryption'</span>
After performing an IISReset on the CRM Server, you’ll be able to see the encryption screen. Paste the encryption key in to a text editor, such as Notepad. As a best practice, save the text file that contains the encryption key on a computer in a secure location on an encrypted hard drive. Also note that if you keep the default encryption key with all the special hieroglyphic characters, you’ll need to save the file with Unicode encoding — see screenshot below. Also, note, there is one data encryption key per organization.
Testing our system, I backed-up our test Adventure Works CRM organization database, and restored it as AdvWrks2. I imported (re-deployed) the AdvWrks2 database to create a new CRM org. I browsed to Settings => Admin => Users, and selected my User. I changed the Primary E-mail address and hit save. Here’s where I got a “Data Encryption error — There are encrypted fields in the organization database, but the data encryption feature isn’t activated.” What this means is that the org that I originally backed-up had encryption enabled, and we copied and re-deployed that org to the new org — which is now requiring data encryption be activated with the Encryption Key from the original org. I went ahead and activated using the Encryption Key that I had previously saved, and got the good news that the Encryption Key was activated successfully.
So we’ve seen CRM 2013 Data Encryption be activated automatically, by simply installing CRM, as noted in the highlighted paragraph at the top of this post. We also know that Data Encryption will be enabled on all CRM Online deployments.
We’ve further seen that when an encrypted CRM database is restored and redeployed it requires that data encryption be activated with the appropriate encryption key. If you ever think you may want to restore your CRM organization database for disaster recovery or redeploy your CRM system for testing or operational reasons, you simply must save off the encryption key of your existing CRM system.