Dynamic 365 finance and operation database encryption

(2) Share

Report

Posted on by MS-29011540-0

123

Hello all,
Hope you all are doing well,
Is there any way to encrypt on-premise D365FO database and the application can communicate normally but even if i use SSMS and wrote SQL queries i can't view data?

Categories:

Dynamics 365 Finance

All responses (11)

Answers (4)

Verified answer

Navneeth Nagrajan 1,964 Super User 2025 Season 1 on at

Like (1)

Report

Dynamic 365 finance and operation database encryption

Hi MS-29011540-0,

SQL Server database is encrypted in D365 on-premise while deploying the on-premise D365 FO Environment. Additionally, if you are not looking to encrypt the data through the TDE you can explore the option of Azure storage encryption or Azure key vault.

As Martin rightly said, you can restrict the access on the On-Premise SQL Server database. Very strange to query on the database and not have any data retrieved.

References:

https://learn.microsoft.com/en-us/azure/storage/common/storage-service-encryption

https://learn.microsoft.com/en-us/dynamics365/finance/localizations/global/setting-up-azure-key-vault-client

https://support.microsoft.com/en-au/topic/setting-up-azure-key-vault-client-84e53cef-99d6-3f35-9dc5-fa855b309f5b
Verified answer

Anton Venter 20,130 Super User 2025 Season 1 on at

Like (1)

Report

Dynamic 365 finance and operation database encryption

Hi,

The short answer is no. Encrypting all the data in the database cannot be done out of the box and is not something that you would want to implement. It would be a monumental task and not worth it. Network / system / domain administrators will always be able to access all data in the IT landscape by either accessing the applications as users or through the database backups.
Verified answer

Martin Dráb 234,654 Most Valuable Professional on at

Like (1)

Report

Dynamic 365 finance and operation database encryption

It really depends on what they actually need. There is no single answer valid for all possible requirements.
MS-29011540-0 123 on at

Like (1)

Report

Dynamic 365 finance and operation database encryption

@Martin Dráb
You are totally right, but i was just asked to search and respond with if it's applicable or not? then i can talk about pros and cons :)
Martin Dráb 234,654 Most Valuable Professional on at

Like (3)

Report

Dynamic 365 finance and operation database encryption

The question is still the same: what's the goal? You can't design a solution without understanding what the people needs to be able to do and what they mustn't.

They seem to say that IT department don't need access to any data inside the database. For example, maybe they need to do things like dealing with the storage of DB backups, which doesn't require access to the data inside. You mentioned a requirement to actually query the data in SSMS, but why? What's the point of querying data if they shouldn't have access to the data? There may be reasons, of course, but the current requirement ("to prevent IT department itself from viewing the data") doesn't include them.

Also, who will manage the configuration, policies, encryption keys or so if not the IT department? For example, do you distinguish between application admins (not belonging to IT dept) and infrastructure admins?
MS-29011540-0 123 on at

Like (0)

Report

Dynamic 365 finance and operation database encryption

@Martin Dráb
The client asked if it's feasible because he's willing to prevent IT department itself from viewing the data, I know that has many issues like heavy performance, integration problems, ...
I think it's not a practical solution and there may be other ways to do so with encrypting the database itself, but my company would like to know if it's feasible or no?
Martin Dráb 234,654 Most Valuable Professional on at

Like (1)

Report

Dynamic 365 finance and operation database encryption

I don't understand. If you want someone not to be able to read any data in the database, why do you give him permissions to read the data?

What is the actual problem that you're trying to solve?
MS-29011540-0 123 on at

Like (0)

Report

Dynamic 365 finance and operation database encryption

@Komi Siabi
But TDE encrypts the data file and the log file, but the data itself isn't encrypted which means if i query through SSMS i would get the data as plaintext, but what i wanted if i query through SSMS the resulted data is encrypted so that i can't read it.
Verified answer

Komi Siabi 12,915 Most Valuable Professional on at

Like (1)

Report

Dynamic 365 finance and operation database encryption

If you need to encrypt the data itself on the DB, I know you can use TDE which I have not had reason to try myself yet.

You can follow this Linkedin post as guide.

VA1219 - Transparent data encryption should be enabled
MS-29011540-0 123 on at

Like (0)

Report

Dynamic 365 finance and operation database encryption

@Komi Siabi
Do you mean during communication between the two servers?
If so, i need the data in the database itself to be encrypted, the data itself.
Thanks for replying