How to Unlock Dynamics CRM Data Encryption

August 29, 2015 In: CRM 2013, CRM 2015, Data Encryption, Data Encryption, Microsoft Dynamics CRM Comments (1)

Need to Unlock Dynamics CRM Data Encryption?

Have you recently imported (redeployed) an on-premises organization and you’re getting Data Encryption errors?

CRM Data Encryption ErrorThat’s a tad bit disconcerting.  What does this mean?  How do you unlock Dynamics CRM Data Encryption?  How can you get your encryption key back?  Is your data really locked up?

All good questions.  First of all, you should only ever see these kinds of messages in CRM on-premises, typically after a redeployment.

If you saved-off the encryption key prior to breaking down the org in the legacy environment, then you just need to activate data encryption with the key that you previously saved off.  “…you did save it off, right?”  (No, I thought you were going to do that…)  LOL.  No worries.

The error message can be a little confusing, especially, as we noted in a previous blog article, that data encryption is automatically activated when you install CRM or redeploy a CRM organization.

There are encrypted fields in the organization database, but the data encryption feature isn’t activated. Contact your Microsfot Dynamic CRM system administrator to activate data encryption. To activate, go to Settings > Data Management > Data Encryption. For more information, see http://go.microsoft.com/fwlink/?LinkId=316366.

~ Data Encryption error

There are a number of subtleties you should be aware of to unlock Dynamics CRM data encryption – one is that if this a brand new, empty organization, you can activate encryption and set the encryption key to whatever you like.  If the organization has been redeployed, and there is no sensitive data like usernames and passwords for Exchange Server-Side Synchronization (think: users’ Office 365 usernames and passwords), then you may still be able to activate encryption and set the password to whatever you like.  However, if you’re redeploying an organization that had previously been configured for Exchange Server-Side Synchronization, you’re going to either have to provide the encryption key or you’ll continue to experience the error message we’re talking about here until you do.

The primary solution is, of course, to simply provide the encryption key from the same CRM organization in the legacy deployment.  If you don’t have that, and you can’t get back to your legacy environment, then here’s the work-around: in short, you have to delete the sensitive data in your CRM organization.  It’s not as bad as it sounds, and basically means you have to delete usernames and passwords associated with the prior Exchange Server-Side Synchronization setup.

The details are as follows.  First, make a backup of your CRM organization database, just in case.  You won’t be able to read the usernames and passwords from the legacy database, so it’s really not that much help anyway.  Next step is to wipe clean all the sensitive data by deleting certain data records:

USE LegacyCRMOrg_MSCRM
UPDATE EmailServerProfile SET IncomingPassword=null
UPDATE EmailServerProfile SET OutgoingPassword=null
UPDATE Mailbox SET Password=null
UPDATE Queue SET EmailPassword=null
UPDATE UserSettings SET EmailPassword=null

Deleting the sensitive data will allow you to effectively start fresh and activate the data encryption.  Of course, you’ll then have to reconfigure your Exchange Server-Side Synchronization.

Note of caution for CRM Online users.  If you ever intend to bring your CRM Online organization to on-premises or hosted by a third-party; you’ll have to redeploy in which case you’ll also need to know your encryption key.

Comments

Leave a Reply