Data Encryption in CRM 2013

By | March 25, 2014

Data Security is the prime aspect across the world. As we are storing all our data into the CRM, we need to keep our sensitive data in Encrypted format for the security reasons. Microsoft Dynamics CRM 2013 uses standard Microsoft SQL Server cell level encryption for a set of default entity attributes that contain sensitive information, such as user names and email passwords.


–          Uses FIPS 140-2 Encryption Standard

–          prevents a database administrator from accessing encrypted data

–          SQL Server cell level encryption


–          Used to store Email and Password when working with CRM and Microsoft Exchange

–          Yammer Integration


–          data encryption is not active in Microsoft Dynamics CRM 2013 on-premises by default but users who have the system administrator security role can activate data encryption

–          After data encryption is activated, it cannot be turn off but you can change the encryption key if required.

–          Data Encryption cannot be applied on the custom fields. Currently it is only available on the out of the box password fields.

–          Auditing cannot be enabled on encrypted fields

–          Encrypted fields cannot be customized

–          Encrypted fields cannot be indexed

–          When doing a retrieve of an encrypted field’s value, a null is returned

–          SSL is required to use messages

To activate data encryption or change the encryption key you need to navigate to the Settings -> Data Management -> Data Encryption area. Please note that user having System Administrator role can only activate Data Encryption or change the Data Encryption Key.


1)       IsDataEncryptionActiveRequest: This request checks whether Data Encryption in Activated or not.

IsDataEncryptionActiveRequest request = new IsDataEncryptionActiveRequest();

IsDataEncryptionActiveResponse response = (IsDataEncryptionActiveResponse)service.Execute(request);

bool isDataEncryptionActive = response.IsActive;

2)      SetDataEncryptionKeyRequest: This request helps to change the Data Encryption key. You just need to set the new encryption key in the Encryption Key property which will set the new encryption key.

SetDataEncryptionKeyRequest request = new SetDataEncryptionKeyRequest();

request.ChangeEncryptionKey = true;

request.EncryptionKey = “YOUR_ENCRYPTION_KEY”;

SetDataEncryptionKeyResponse response = (SetDataEncryptionKeyResponse)service.Execute(request);

3)      RetrieveDataEncryptionKeyRequest: This function helps retrieve encrypted key available in the organization.

RetrieveDataEncryptionKeyRequest request = new RetrieveDataEncryptionKeyRequest();

RetrieveDataEncryptionKeyResponse response = (RetrieveDataEncryptionKeyResponse)service.Execute(request);

string encryptedKey = response.EncryptionKey;

Please note that, you must use SSL when you use these messages. When you execute these messages, a check will ensure that the user’s client/server connectivity is using the HTTPS protocol. If not, an exception is returned if the requests are submitted without using HTTPS.

Hope this article helps!