Manage the encryption keys for your Dynamics 365 (online) instance

Dynamics CRM 2016
 

Published: March 20, 2017

Updated: March 20, 2017

Applies To: Dynamics 365 (online)

All instances of Microsoft Dynamics 365 (online) use Microsoft SQL Server Transparent Data Encryption (TDE) to perform real-time encryption of data when written to disk, also known as encryption at rest.

By default, Microsoft stores and manages the database encryption keys for your instances of Dynamics 365 (online) so you don’t have to. The manage keys feature in the Dynamics 365 Administration Center gives administrators the ability to self-manage the database encryption keys that are associated with instances of Dynamics 365 (online).

With Dynamics 365 (online) key management, administrators can provide their own encryption key or have an encryption key generated for them, which is used to encrypt the database for an instance.

The key management feature supports both PFX and BYOK encryption key files, such as those stored in a hardware security module (HSM). To use the upload encryption key option you need both the public and private encryption key.

The key management feature takes the complexity out of encryption key management by using Azure Key Vault to securely store encryption keys. Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services. The key management feature doesn’t require that you have an Azure Key Vault subscription and for most situations there is no need to access encryption keys used for Dynamics 365 (online) within the vault.

The manage keys feature lets you perform the following tasks.

  • Enable the ability to self-manage database encryption keys that are associated with Dynamics 365 (online) instances.

  • Generate new encryption keys or upload existing .PFX or .BYOK encryption key files.

  • Lock a Dynamics 365 (online) instance.

    System_CAPS_cautionCaution

    You should never lock an instance as part of your normal business process. While a Dynamics 365 (online) instance is locked it takes the instance completely offline and it cannot be accessed by anyone, including Microsoft. Additionally, services such as synchronization and maintenance are all stopped. An appropriate reason why you would lock an instance is when you move your database from online to on-premises. Locking the instance can make sure that your online data is never accessed again by anyone.

    A locked instance can’t be restored from backup.

  • Unlock a Dynamics 365 (online) instance. To unlock a locked instance of Dynamics 365 (online), you must upload the encryption key that was used to lock it. While a Dynamics 365 (online) instance is locked, it cannot be accessed by anyone.

As with any business critical application, personnel within your organization who have administrative-level access must be trusted. Before you use the key management feature, you should understand the risk when you manage your database encryption keys. It is conceivable that a malicious administrator (a person who is granted or has gained administrator-level access with intent to harm an organization's security or business processes) working within your organization might use the manage keys feature to create a key and use it to lock a Dynamics 365 (online) instance. Consider the following sequence of events.

  1. The malicious administrator signs in to the Dynamics 365 Administration Center, goes to the edit page for an instance, and then generates a new encryption key to use to encrypt the instance. As part of the key generation, the malicious Dynamics 365 administrator downloads the encryption key.

  2. The malicious administrator locks the associated Dynamics 365 (online) instance and takes or deletes the encryption key that was used to lock the instance.

Notice that, encryption key changes take 72 hours to complete. Additionally, anytime an encryption key is changed for a Dynamics 365 (online) instance all Dynamics 365 (online) administrators receive an email message alerting them of the key change. This provides up to 72 hours to roll back any unauthorized key changes.

However, if after 72 hours the key change is not rolled back, the Dynamics 365 (online) instance will remain in a locked state until the encryption key that was used to lock it can be recovered to unlock it.

To use the manage keys feature you need one of the following privileges:

  • Office 365 Global Administrators membership.

  • Office 365 Service Administrators group membership.

  • System Administrator security role for the instance of Dynamics 365 (online) that you want to manage the encryption key.

The ability to self-manage database encryption keys requires either Dynamics 365 Plan 1 or Dynamics 365 Plan 2.

Self-managed database encryption keys are only available in the January 2017 update for Microsoft Dynamics 365 (online) and may not be made available for later versions.

If you provide your own encryption key, your key must meet these requirements that are accepted by Azure Key Vault.

  • The encryption key file format must be PFX or BYOK.

     
  • 2048-bit RSA or RSA-HSM key type.

  • PFX encryption key files must be password protected.

For more information about the key types supported by Azure Key Vault, see Azure: Keys and key types.

For added assurance, you can import or generate keys in hardware security modules (HSMs) that never leave the HSM boundary. A "bring your own key" (BYOK) file is encrypted with a Key Exchange Key (KEK), which stays encrypted until it is transferred to the Azure Key Vault by uploading the file in the Dynamics 365 Administration Center. Only the encrypted version of your key leaves the original workstation. For more information about generating and transferring an HSM-protected key over the Internet see How to generate and transfer HSM-protected keys for Azure Key Vault.

The following sections describe the tasks you can perform when you choose to self-manage the database encryption key for one or more instances.

Use this procedure to set the manage key feature the first time for an instance or to change an encryption key for an already self-managed instance.

  1. Sign in to the Office 365 Admin center.

  2. Expand Admin centers, and then click Dynamics 365.

  3. Click Instance, select the instance where you want to manage the database encryption key, and then click Edit.

  4. Under database encryption settings, click manage key.

    Manage key button
  5. Review the message that appears and if you want to manage your own database encryption key for the instance, click ok.

  6. By default, the name for the key is InstanceName Encryption Key. Leave the key name or change it and then click either new or upload.

    Create a new or upload a key

    new. Click new to have a .PFX encryption key generated for you that will be used to encrypt the database.

    1. When you are prompted, enter the password that will be used for the encryption key.

    2. To use the key for the instance, click Yes.

    3. When you're prompted to save the private key, save it to a secure location. The key generated is RSA SHA256 2048-bit. We strongly recommend that you back up the key and save the password to a secure location.

    4. Click close to close the manage your database encryption key dialog box.

    upload. Click upload to provide your own password protected PFX or BYOK encryption key file.

    1. Browse for and add your own key that has been exported from your local hardware security module (HSM) or encryption key application. For BYOK encryption key files, make sure you use the subscription id when you export the encryption key from your local HSM. Click Uploading a BYOK file? on the manage you database encryption key dialog box to find your subscription id.

    2. If you’re sure you want to change the encryption key, click yes.

    3. Enter a password for the key, and click ok.

    4. Click close to close the manage your database encryption key dialog box.

    5. An email message is sent to all Dynamics 365 (online) administrators in your organization. This occurs whenever a key is changed for an instance.

Notice that the key name you specified to manage database encryption settings now appears under Current Encryption Key.

Indication of a managed key

Reverting a managed key configures the instance back to the default behavior where Microsoft manages the encryption key for you.

  • From the Dynamics 365 Administration Center, click Instance, select the instance that you want to revert, and then click Edit.

  • Under database encryption settings, click manage key.

  • Click revert.

  • To revert the instance back to Microsoft-managed key encryption, click yes.

  • Click close to close the manage your database encryption key dialog box.

A locked instance remains inaccessible to everyone, including Microsoft, until a tenant administrator in your organization unlocks it by using the key that was used to lock it.

System_CAPS_cautionCaution

While a Dynamics 365 (online) instance is locked it takes the instance completely offline and it cannot be accessed by anyone, including Microsoft. Additionally, services such as synchronization and maintenance are all stopped. You should never lock an instance as part of your normal business process. A common reason why you would lock an instance is when you move your database from online to on-premises. Locking the instance can make sure that your online data is never access again by anyone.

A locked instance can’t be restored from backup.

  1. From the Dynamics 365 Administration Center, click Instance, select the instance that you want to lock, and then click Edit.

  2. Under database encryption settings, click manage key.

  3. Click lock instance.

  4. Enter the name as it appears in the dialog box to confirm that you understand the risks with locking an instance, and then click upload.

  5. Browse for and select the encryption key file that was used to encrypt the instance, and then click Open.

  6. Enter the password for the key, and then click ok.

  7. To lock the instance, click yes.

  8. Click close to close the manage your database encryption key dialog box.

To unlock an instance, you must provide the encryption key and password that was used to lock the instance.

  1. From the Dynamics 365 Administration Center, click Instance, select the instance that you want to unlock, and then click Edit.

  2. Under database encryption settings, click manage key.

  3. Click unlock instance.

    Unlock an instance
  4. Browse for and select the encryption key that was used to encrypt the instance, and then click Open.

  5. Enter the password for the key, and then click ok.

  6. Click close to close the manage your database encryption key dialog box.

© 2017 Microsoft. All rights reserved. Copyright

Community Additions

ADD
Show: