Encryption in Microsoft Dynamics 365

Microsoft uses encryption technology to protect customer data in Dynamics 365 while at rest in a Microsoft datacenter and while it is in transit between user devices and our datacenters. Connections established between customers and Microsoft datacenters are encrypted, and all public endpoints are secured using industry-standard TLS. TLS effectively establishes a security-enhanced browser-to-server connection to help ensure data confidentiality and integrity between desktops and datacenters. After data encryption is activated, it cannot be turned off. For more information, see Field-level data encryption.

Dynamics 365 uses standard Microsoft SQL Server cell level encryption for a set of default entity attributes that contain sensitive information, such as user names and email passwords. This feature can help organizations meet the compliance requirements associated with FIPS 140-2. Field-level data encryption is especially important in scenarios that leverage the Microsoft Dynamics CRM Email Router, which must store user names and passwords to enable integration between a Dynamics 365 instance and an email service.

All instances of Dynamics 365 use Microsoft SQL Server Transparent Data Encryption (TDE) to perform real-time encryption of data when written to disk (at rest). TDE encrypts SQL Server, Azure SQL Database, and Azure SQL Data Warehouse data files. By default, Microsoft stores and manages the database encryption keys for your instances of Dynamics 365. (The keys that are used by Dynamics 365 for Financials are generated by the .NET Framework Data Protection API.)

The manage keys feature in the Power Platform Administration Center gives administrators the ability to self-manage the database encryption keys that are associated with instances of Dynamics 365. See Manage the encryption keys for your Dynamics 365 (online) instance. The key management feature supports both PFX and BYOK encryption key files, such as those stored in an HSM. (For more information about generating and transferring an HSM-protected key over the Internet, see How to generate and transfer HSM-protected keys for Azure Key Vault.)

To use the upload encryption key option, you need both the public and private encryption key.

The key management feature takes the complexity out of encryption key management by using Azure Key Vault to securely store encryption keys. Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services. The key management feature doesn't require that you have an Azure Key Vault subscription and for most situations there is no need to access encryption keys used for Dynamics 365 within the vault.