Jaa


Managing Encryption Keys for SQL Server Authentication

When using SQL Server authentication between the Microsoft Dynamics NAV Server instance and the database in SQL Server, an encryption key is used to encrypt the credentials that the Microsoft Dynamics NAV Server instance uses to log on to the database. The encryption key is stored on the computer running Microsoft Dynamics NAV Server and also registered in the database. There is single encryption key per Microsoft Dynamics NAV Server instance and it must match the encryption key in the database.

On the computer running the Microsoft Dynamics NAV Server instance, the encryption key file has the name DynamicsNAV110.key and is stored in the %systemroot%\ProgramData\Microsoft\Microsoft Dynamics NAV\110\Server\Keys. In the database, the encryption key is registered in the dbo.$ndo$publicencryptionkey table. In a multitenant deployment, the encryption key is registered in the application database.

You can create encryption keys and then import and export the keys to and from databases by using encryption key cmdlets in the Microsoft Dynamics NAV Administration Shell. These cmdlets are useful when upgrading or transferring a solution from one set of hardware to another, where you might need a copy of the encryption key to use it on another Microsoft Dynamics NAV Server instance.

Note

When you use the Microsoft Dynamics NAV Server Administration tool to set up SQL Server Authentication on a Microsoft Dynamics NAV Server instance for the first time, instead of creating or importing your own encryption key in advance, you can decide to use a system encryption key, which is generated and installed automatically.

Managing Encryption Keys by Using Microsoft Dynamics NAV Administration Shell

The Microsoft Dynamics NAV Administration Shell includes the following cmdlets that enable you to manage the encryption key that is used on Microsoft Dynamics NAV Server instances:

Cmdlet Description
Export-NAVEncryptionKey Exports an encryption key from a Microsoft Dynamics NAV Server instance to a password protected file.
Import-NAVEncryptionKey Imports an encryption key from a password protected file to a Microsoft Dynamics NAV Server instance.
New-NAVEncryptionKey Create an encryption key in a password protected file.

For more information about how to run the cmdlets, see Microsoft Dynamics NAV Windows PowerShell Cmdlets.

Changing the Current Encryption Key

If you want to change an encryption key that is currently used by a Microsoft Dynamics NAV Server instance and database to another encryption key that is contained in an encryption key file, use the Import-NAVEncryptionkey cmdlet. Before you run the Import-NAVEncryptionkey cmdlet, you must delete the encryption key that is stored on the Microsoft Dynamics NAV Server computer.

To change the encryption key that is used by the Microsoft Dynamics NAV Server instance

  1. On the computer that is running the Microsoft Dynamics NAV Server instance, delete the encryption key file for SQL Server authentication.

    The encryption key file has the name DynamicsNAV110.key and is stored in the %systemroot%\ProgramData\Microsoft\Microsoft Dynamics NAV\110\Server\Keys folder.

  2. In the Microsoft Dynamics NAV Administration Shell, run the Import-NAVEncryptionkey cmdlet with the -Force parameter set.

    Import-NAVEncryptionKey -ServerInstance [Server Instance] -KeyPath [Encryption key file path] - ApplicationDatabaseServer [Database server instance] -ApplicationDatabaseName [Database name] -Force  
    

See Also

How to: Configure SQL Server Authentication in Microsoft Dynamics NAV