web
You’re offline. This is a read only version of the page.
close
Skip to main content
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Customer experience | Sales, Customer Insights,... / Migration from v7 to v...
Customer experience | Sales, Customer Insights,...
Answered

Migration from v7 to v9 - Data Encyption Key "doesn’t match the original encryption key"

(1) ShareShare
ReportReport
Posted on by damccracken 139

Hello CRM Community, 

I am in the process of migration 3 applications from Dynamics 2015 v7 on premise to Dynamics 365 v9 on premise. Ive been through the threads on lost or missing encryption keys and still not finding anything to help resolve my specific issue. 

Heres what ive done for each application: 

  1. Copy each ORG DB from a 2014 sql server that was on the v7 Dynamics platform to a 2016 sql server thats on a v8 Dynamics platform
  2. Imported the each Org on the deployment manager on v8 so that it does the necessary CRM updates on the ORG DBs
    1. I didnt do anything to the Orgs on v8 after importing them. Not sure if I was suppose activate the encryption key here, but it wouldnt have been copied over to v9 anyways so not sure if this wouldve cause my issue here
  3. Copied each ORG DB from the 2016 sql server they were on to a 2019 sql server on a v9 Dynamics platform
  4. Imported them through the Deployment Manager on v9 and they are stood up and working. 

Out of these 3 Orgs i have on the v9 Dynamics platform, only 1 has allowed me to activate data encryption with same source key! The other 2 give me the "doesn’t match the original encryption key". Its really confusing to me only this 1 has allowed me when I know for a fact what the source keys are!

I have the source Orgs, DBs, and Config DB from the 2015 v7 platform. Each Org had Encryption Enabled to where I can pull them straight from CRM UI. Ive done the SQL to query them from MSCONFIG db and used a C# Console App to decrypt it like here: https://szczepan.net/?p=152 It generates the same ones ive pulled manually. 

Ive tried different copy and pasting methods too!

I would rather avoid making new encryption keys because Im not too sure what all that might impact as ive never messed with this. 

Any help would be appreciated!

I have the same question (0)
  • damccracken Profile Picture
    damccracken 139 on at
    Migration from v7 to v9 - Data Encyption Key "doesn’t match the original encryption key" (repost from Microsoft Dynamics CRM Forum)

    Hello CRM Community, 

    I am in the process of migration 3 applications from Dynamics 2015 v7 on premise to Dynamics 365 v9 on premise. Ive been through the threads on lost or missing encryption keys and still not finding anything to help resolve my specific issue. 

    Heres what ive done for each application: 

    1. Copy each ORG DB from a 2014 sql server that was on the v7 Dynamics platform to a 2016 sql server thats on a v8 Dynamics platform
    2. Imported the each Org on the deployment manager on v8 so that it does the necessary CRM updates on the ORG DBs
      1. I didnt do anything to the Orgs on v8 after importing them. Not sure if I was suppose activate the encryption key here, but it wouldnt have been copied over to v9 anyways so not sure if this wouldve cause my issue here
    3. Copied each ORG DB from the 2016 sql server they were on to a 2019 sql server on a v9 Dynamics platform
    4. Imported them through the Deployment Manager on v9 and they are stood up and working. 

    Out of these 3 Orgs i have on the v9 Dynamics platform, only 1 has allowed me to activate data encryption with same source key! The other 2 give me the "doesn’t match the original encryption key". Its really confusing to me only this 1 has allowed me when I know for a fact what the source keys are!

    I have the source Orgs, DBs, and Config DB from the 2015 v7 platform. Each Org had Encryption Enabled to where I can pull them straight from CRM UI. Ive done the SQL to query them from MSCONFIG db and used a C# Console App to decrypt it like here: https://szczepan.net/?p=152 It generates the same ones ive pulled manually. 

    Ive tried different copy and pasting methods too!

    I would rather avoid making new encryption keys because Im not too sure what all that might impact as ive never messed with this. 

    Any help would be appreciated!

  • a33ik Profile Picture
    a33ik 84,331 Most Valuable Professional on at
    RE: Migration from v7 to v9 - Data Encyption Key "doesn’t match the original encryption key"

    No duplicates, please.

  • Verified answer
    protc Profile Picture
    protc on at
    RE: Migration from v7 to v9 - Data Encyption Key "doesn’t match the original encryption key"

    Hi,

    Thank you for your query.

    In some rare instances the previously saved Encryption does not work as the system fails to identify the key and you see the error below,

    "Data encryption can't be activated because the encryption key doesn't match the source encryption key used to encrypt the data. If you contact support, please provide the technical details."

    In this case, in order to remove the Previously saved usernames and passwords associated with the prior Exchange Server-Side Synchronization setup you can execute the script below on the CRM Database,

    1. Make a backup of the CRM organization database.

    2. Execute the Script below,

         USE LegacyCRMOrg_MSCRM // <Replace the "LegacyCRMOrg_MSCRM"  with te DB name >

         UPDATE EmailServerProfile SET IncomingPassword=null

         UPDATE EmailServerProfile SET OutgoingPassword=null

         UPDATE Mailbox SET Password=null

         UPDATE Queue SET EmailPassword=null

         UPDATE UserSettings SET EmailPassword=null

    3. Restart IIS 

    - Open elevated Command Prompt (Run as Administrator).

    - Execute command "IISRESET".

    4. Sign in to Microsoft Dynamics 365 as a user with the system administrator security role.

    a. Go to Settings > Data Management.

    b. Click Data Encryption.

    - The "Current Encryption Key" box should be available now.

    - Enter the Previously saved Original Encryption key.

    - Click "Activate"

    You're all set.

  • damccracken Profile Picture
    damccracken 139 on at
    RE: Migration from v7 to v9 - Data Encyption Key "doesn’t match the original encryption key"

    Hi Protim,

    I followed your steps and they seemed to have worked.

    I never got the "Current Encryption Key" field to be active or editable and it still had encryption status "Inactive", but I put the source key in the "Activate Encryption Key" field and it activated after the SQL and IIS reset!

    Thanks for the help!

  • Sky_God Profile Picture
    Sky_God 24 on at
    RE: Migration from v7 to v9 - Data Encyption Key "doesn’t match the original encryption key"

    The encryption key is stored in mscrm_config so if an organization is moved to another deployment, then the key reference will be missing.

    In this case a new key can be created (HTTPS needs to be enabled). 

    Changing password won’t have any impact, but only if HTTPS is already enabled.

     Step 1:
    use MSCRM_CONFIG
    Delete  from OrganizationProperties where Id = '<ORG ID>' and ColumnName IN('SymmetricKeyPassword' , 'SymmetricKeySource') 

    (NOTE: Get <ORG ID> from the MSCRM_CONFIG with:

        SELECT Id FROM Organization WHERE UniqueName = 'YourCRMOrgName'

    )

    Step2:
    --Remove key from DB
    use <<YourCRMOrgName>>_MSCRM
    drop symmetric key CrmSymmetricKey1 

    Step3:
    --Reset all values to null in your CRM organisation DB:

    USE <<YourCRMOrgName>>_MSCRM
    Update EmailServerProfileBase set IncomingPassword = null, OutgoingPassword = null
    Update MailBoxBase set Password = null
    Update queuebase set emailpassword = null
    Update usersettingsbase set emailpassword = null
    update LocalConfigStoreBase set Value=null where Value is not null
    update ServiceEndpointBase set SASKey=null where SASKey is not null
    update ServiceEndpointBase set SASToken=null where SASToken is not null
     
    Above 3 steps needs to run in same order and one-by-one, check for errors before proceeding between steps.
     
    These fields will be set to null, but the first 4 values can be re-entered (re-configured in CRM) and the last 3 will be automatically set once you activate the new key.
     (Also, if you are not using server side sync, then you don’t have to re-enter the first 4, they are only used for server side sync.)

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Join experts in person to explore low code and AI agents at the Power Platform Community Conference sponsored by Microsoft

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Abhilash Warrier – Community Spotlight

We are honored to recognize Abhilash Warrier as our Community Spotlight honoree for…

Congratulations to the September Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Customer experience | Sales, Customer Insights, CRM

#1
Rishabh Kanaskar Profile Picture

Rishabh Kanaskar 258

#2
MVP-Daniyal Khaleel Profile Picture

MVP-Daniyal Khaleel 179

#3
Tom_Gioielli Profile Picture

Tom_Gioielli 127 Super User 2025 Season 2

Last 30 days Overall leaderboard

Featured topics

Hide selecting Contact for potential customer when creating quote

Product updates

Dynamics 365 release plans