Field-level data encryption


Applies To: Dynamics CRM 2013

Microsoft Dynamics CRM 2013 uses standard Microsoft SQL Server cell level encryption for a set of default entity attributes that contain sensitive information, such as user names and email passwords. This feature can help organizations meet the compliance requirements associated with FIPS 140-2. Field-level data encryption is especially important in scenarios that leverage the Microsoft Dynamics CRM Email Router, which must store user names and passwords to enable integration between a CRM instance and an email service such as Microsoft Exchange.

While data encryption is not active in Microsoft Dynamics CRM 2013 on-premises by default for new or upgraded organizations, data encryption may be activated at any time. Microsoft Dynamics CRM users who have the system administrator security role can activate data encryption (or change the encryption key after data encryption is enabled) in the Settings > Data Management > Data Encryption area. After data encryption is activated, it cannot be turn off.


For Microsoft Dynamics CRM Online, all new and upgraded organizations have data encryption activated.

When considering the use of data encryption, be sure to keep in mind the following key points:

  • To help ensure the highest level of security, we recommend that you change the encryption key once a year.

  • Changing the encryption key requires that SSL be configured on the Microsoft Dynamics CRM website.

  • Auditing cannot be enabled on encrypted fields.

  • Encrypted fields cannot be customized.

  • Encrypted fields cannot be indexed.

  • Encrypted fields can be set and updated by using standard Create, Update, and Delete methods.

  • When doing a retrieve of an encrypted field’s value, a null is returned.

The encryption key is required to activate data encryption when you import an organization database into a new deployment or into a deployment that has had the configuration database (MSCRM_CONFIG) recreated after the organization was encrypted. You can copy the original encryption key to Notepad and then paste it into the Settings > Data Management > Data Encryption dialog box after the organization import is completed. When activating data encryption after redeployment, we recommend that you use Internet Explorer to paste the encryption key into the Data Encryption dialog box.

Encrypted attributes

The entity attributes that are configured for field-level data encryption are listed in the following table.














The messages that can be used for field-level data encryption are listed in the following table.

Request class name

More information


Checks if data encryption is currently running (active or inactive).


Retrieves the data encryption key value.


Sets or restores the data encryption key. To prevent accidentally running multiple change requests in parallel, this SDK message will be throttled so that only one request can run at a time.


You must use SSL when you use these messages. When you execute these messages, a check will ensure that the user’s client/server connectivity is using the HTTPS protocol. If not, an exception is returned if the requests are submitted without using HTTPS.

See Also

Administration Guide: Data encryption