CRM 2013 Data Encryption

CRM 2013 Data Encryption

And How to Work Around the SSL Requirement to Access Encryption Key 

CRM 2013 Data EncryptionThe first time you’ll likely encounter CRM 2013 Data Encryption, is during an on-premise installation, where you will be presented with the following message when creating a new organization:

Data encryption will be active after the install or upgrade. We strongly recommend that you copy the organization encryption key and store it in a safe place. For more information, see http://go.microsoft.com/fwlink/?LinkId=316366.

Microsoft Dynamics CRM 2013 uses standard SQL Server cell level encryption for a set of default entity attributes that contain sensitive information, such as user names and email passwords for Server-Side Sync and authentication tokens for Yammer integration capabilities.  This feature can help organizations meet FIPS 140-2 compliance by ensuring that the data is encrypted “at rest” so that local database admins cannot read the data in the database tables directly.  For Microsoft Dynamics CRM Online, all new and upgraded organizations use data encryption.  For on-premise versions of Microsoft Dynamics CRM 2013, users who have the system administrator security role (and in the PrivUserGroup) can activate data encryption or change the encryption key after data encryption is enabled in the Settings > Data Management > Data Encryption area.  After you activate data encryption, you cannot turn it off. NB: For on-premises versions of Microsoft Dynamics CRM:

  • Changing the encryption key requires SSL configured on the Microsoft Dynamics CRM website. (This requirement can be averted by a work-around described herein, which should only be used for testing purposes.  The point of having data encryption is to have data be encrypted both in transit and at rest.)
  • It is a best practice is to change the encryption key once every year.
  • The encryption key is required to activate data encryption when you import an organization database into a new deployment or a deployment that has had the configuration database (MSCRM_CONFIG) re-created after the organization was encrypted.  You can copy the original encryption key to Notepad and paste it into the Settings > Data Management > Data Encryption dialog box after the organization import is completed.
  • When you re-enter the data encryption key, we recommend that you run the Microsoft Dynamics CRM web application using Internet Explorer to paste the encryption key into the Data Encryption dialog box.

Copy your organization data encryption key.  It is strongly recommend that you make a copy of your data encryption key.  This is particularly important for on-premise deployments that may need to reactivate data encryption after a redeployment or failure recovery.

How to copy a CRM 2013 Data Encryption Key for an Organization

  1. Sign in to Microsoft Dynamics CRM as a user with the system administrator security role.
  2. Go to Settings > Data Management > Data Encryption.
  3. In the Data Encryption dialog box, select Show Encryption Key, in the Current encryption key box select the encryption key, and copy it to the clipboard.

CRM 2013 Data Encryption https errorHowever, if the Microsoft Dynamics CRM website is not configured for HTTPS/SSL, the Data Encryption dialog box will not be displayed.  Instead, you’ll get the error noted at the right.  For a more secure deployment, we recommend that you configure the website for HTTPS/SSL.  As a work-around, it is possible to get at the CRM 2013 Data Encryption settings even if the website is not configured for HTTP/SSL.  To do so, use a tool that can be used to modify CRM database tables, such as Microsoft SQL Server Management Studio and open the configuration database (MSCRM_CONFIG); in the DeploymentProperties table, set DisableSSLCheckForEncryption to 1.  In order to set the property use the following SELECT and UPDATE statements:

<span style="color: #000000;">SELECT [ColumnName],[BitColumn]
FROM [MSCRM_CONFIG].[dbo].[DeploymentProperties]
WHERE ColumnName='DisableSSLCheckForEncryption'
 
UPDATE [MSCRM_CONFIG].[dbo].[DeploymentProperties]
SET [BitColumn]=1
WHERE ColumnName='DisableSSLCheckForEncryption'</span>

CRM 2013 Data Encryption KeySaving CRM 2013 Data Encryption w UnicodeAfter performing an IISReset on the CRM Server, you’ll be able to see the encryption screen.  Paste the encryption key in to a text editor, such as Notepad. As a best practice, save the text file that contains the encryption key on a computer in a secure location on an encrypted hard drive.  Also note that if you keep the default encryption key with all the special hieroglyphic characters, you’ll need to save the file with Unicode encoding — see screenshot below.  Also, note, there is one data encryption key per organization.

Testing our system, I backed-up our test Adventure Works CRM organization database, and restored it as AdvWrks2.  I imported (re-deployed) the AdvWrks2 database to create a new CRM org.  I browsed to Settings => Admin => Users, and selected my User.  I changed the Primary E-mail address and hit save.  Here’s where I got a “Data Encryption error — There are encrypted fields in the organization database, but the data encryption feature isn’t activated.” What this means is that the org that I originally backed-up had encryption enabled, and we copied and re-deployed that org to the new org — which is now requiring data encryption be activated with the Encryption Key from the original org. I went ahead and activated using the Encryption Key that I had previously saved, and got the good news that the Encryption Key was activated successfully.
CRM 2013 Data Encryption - encryption not activated error

So we’ve seen CRM 2013 Data Encryption be activated automatically, by simply installing CRM, as noted in the highlighted paragraph at the top of this post. We also know that Data Encryption will be enabled on all CRM Online deployments.

We’ve further seen that when an encrypted CRM database is restored and redeployed it requires that data encryption be activated with the appropriate encryption key. If you ever think you may want to restore your CRM organization database for disaster recovery or redeploy your CRM system for testing or operational reasons, you simply must save off the encryption key of your existing CRM system.

January 2, 2014 In: CRM 2013, Data Encryption Comments (4)