 Context and Problem Statement

o Dataverse supports data encryption at-rest and data is internally

encrypted using 256-bit AES encryption compliant with FIPS 140-2. Read
more - https://learn.microsoft.com/en-us/power-platform/admin/about-
encryption
o Additionally, Dataverse offers column-level security capabilities for access
control. This functionality enables the granting of access to specific user
groups for columns containing sensitive information.
o However, users and developers with access to that column can view data
in textual form. According to SLB security standards, High Sensitive
Personal Information (HSPI) should not be visible in plain text format by
default. Sensitive data ought to be stored in encrypted form within
Dataverse. Therefore, it is advisable to employ encryption algorithms for
both storing and retrieving data to enhance protection.
 Solution
o Currently Dataverse provides data encryption at-rest and column-level
security but it does not provide any solution to manually encrypt data
in Dataverse like an SQL server transparent data encryption.
o The solution proposed for the issue is to handle encryption with power
automate.
o Power Automate has an out-of-the-box connector to encrypt and decrypt
data with Azure key vault.
 The Azure Key Vault connector in Power Automate enables users to
interact with Azure Key Vault from their workflows. This connector
simplifies the process of accessing and managing secrets/keys
stored in Azure Key Vault. In addition to that this connector also
provides a way to encrypt and decrypt data with stored keys.
o These flows can be triggered in multiple ways for encryption and
decryption which is described below.
o Encrypt Data from Power apps
Click here to expand...

 In this approach, the Power Automate flow is initiated directly
from Power Apps. It can be based on user action or before the
form submit.
 The flow will work as explained in the image below.


 Power apps will trigger power automate flow and pass value
which needs to be encrypted.
 Power Automate will use Azure Key vault connector to encrypt
data based on Key and mentioned algorithm.
 Power automate will return encrypted value to power app.
That encrypted value later can be stored in dataverse directly
 Pros & Cons
o Pros:
 This approach encrypts data before saving to
dataverse.
 This way failure handling can be done in better
way in case Power automate is not able to return
encrypted value.
o Cons
 As the flow is incorporated from power app. if
data is imported from external source or directly
updated in Dataverse by user it can have an non
encrypted data.
 This issue can be addressed by
incorporating an additional encryption
flow. There are 2 ways to that as
mentioned below,
o Create an additional flow which will
retrieve data from an external
source, encrypt it, and
subsequently store it in Dataverse.
o Use Dataverse trigger for this case
which is mentioned as another
solution in the article below.
 There has to be logic written to identify if data is
already encrypted and when it is changes and
needs to be re-encrypted.

 o Encrypt data from Dataverse trigger
Click here to expand...

 Power automate has a trigger available when data is Added,
modified or deleted in Dataverse table. User can create a flow
based on this trigger.
 This trigger can run based on update of a specific column as
well.
 Power automate also has a flow to update row in dataverse
table.
 The flow will work as explained in the image below.



 In this approach Power apps will store data in dataverse. Then
dataverse trigger will start power automate flow and store
encrypted data in dataverse.
 Pros & Cons
o Pros
 Dataverse trigger will make sure to trigger a flow
always when data is added/updated in dataverse
irrespective of source.
 It will be kind of a background job which where
users don't need to wait while data gets
encrypted from Power automate.
o Cons
 This will have one version of non-encrypted/raw
data stored in Dataverse. It can further be drilled
down to logs if it's maintained.
 Failure handling is difficult to handle as if data
does not get encrypted from power automate
the non-encrypted version continuous to stay in
dataverse.
 The flow gets triggered from dataverse and
updates dataverse again. This can lead to a
recursive loop if not handled correctly.
Response 1:
{
"type": "object",
"properties": {
"Value": {
"type": "string"
},
"Version": {
"type": "string"
}
}
}

Response 2:
{
"Value": "Encryption failed",
"Version": "Failed"
}


o Decrypt data
Click here to expand...

 The same Azure key vault connector used for encryption
provides method for Decryption.
 The similar power automate flow can be created to decrypt
data based on user actions. The flow is described in the image
below.
 


Succees Response:

 {
 "type": "object",
 "properties": {
 "Value": {
 "type": "string"
 }
 }
 }

{
"Value": "Decryption failed"
}


  In this flow once Power app passes the encrypted value to
power automate.
 Power automate used Azure Key vault connector to decrypt
data.
 Here key and decryption algorithm should be same which was
used for encryption.
 Pros & Cons
o Pros
 Decryption can be done based on user click.
o Cons
 It is not possible at this moment to decrypt data
in bulk.
 How To
o This section focuses on how to create a flow, potential issues and things to
be taken care about.
o Below are the steps one has to perform in order to create a cloud flow with
Key vault.
 App registration in Microsoft Entra Id (Previously known as
Azure AD)
 Register an application/use existing application in Microsoft
Entra Id.
 Create a secret in Certificates & Secret section.



o

 Keep this secret value with you as this will be required in
cloud flow.
 Add key and necessary permissions in Azure Key Vault
 Create a key in Azure Key vault. There are 2 key types Key
vault is providing RSA and EC. Recommended option is RSA as
it is highly secure and Algorithms are available in Power
Automate connector.
 Necessary permissions
 o Azure Key vault has 2 permission models - Azure
RBAC and Key Vault access policy
 If you use RBAC user/application needs 'Key
Vault Administrator' Role
 If you use 'Key vault access policy' All permission
to key should be granted.
o If you are using 'Service Principle Authentication' for
connection to key vault Azure AD application also
needs to have mentioned permission.
 To provide this permission use Access policies of
Azure key
vault

 Key rotation
o Key rotation is an important aspect of managing keys
and encryption. Azure key vault can do that
automatically for you - https://learn.microsoft.com/en-
us/azure/key-vault/keys/how-to-configure-key-rotation
o Important thing to keep in mind is you can only decrypt
data with the key which you used for encryption. So if a
newer version of key is created you still have to use the
older version is data was encrypted with previous
version.
o So key version may need to be stored in Dataverse
along with record at the time of updating.
o Azure key vault connector provides a way to to
encrypt/decrypt data with a specific version of a key
- https://learn.microsoft.com/en-us/connectors/keyvault
/#encrypt-data-with-key-version
o Azure documentation for Key vault connector says it
can return maximum of 25 keys at a time. So choosing
the rotation interval becomes critical. It is also
recommended to re-encrypt all data periodically to
avoid risk. Minimum rotation duration from Key vault is
7 days.
 Cloud Flow in Power automate
 Create a new cloud flow in Power automate.
 Decide your trigger based on your choice of flow. Either Power
apps or Dataverse trigger
 Select Azure Key vault connector for encryption in next step.



o

 Choosing the right algorithm
o Click here to expand...
 This connector provides 3 encryption algorithms
and RSA-OAEP-256 is found to be the most
secured and recommended algorithm. Details
are mentioned below.
 RSA1_5
o This is one of the earliest padding
schemes used with RSA. It involves
padding the plaintext before
encryption with a specific structure
defined in the PKCS #1 v1.5
standard.
o While widely supported, it has
some security
concerns, especially in the context
of potential padding oracle attacks.
 RSA-OAEP:
o RSA-OAEP (Optimal Asymmetric
Encryption Padding) is a more
modern and secure padding
scheme compared to RSA-PKCS1-
v1_5. It was designed to address
vulnerabilities and potential attacks
associated with PKCS #1 v1.5
padding.
o RSA-OAEP uses a hash function and
a mask generation function to
provide semantic security against
chosen ciphertext attacks.
 RSA-OAEP-256:
o RSA-OAEP-256 is an extension of
RSA-OAEP that employs a larger
 hash function (256 bits) for
increased security.
o The "256" in the name refers to the
size of the hash function used in the
scheme.
 Choosing the correct Authentication type
o Click here to expand...
 Here you will also need to create a connection to
key vault from Power automate flow. There are 2
ways to that.


 There are certain limits with 'Default Azure AD'

approach and recommended way is 'Service
Principle Authentication'.
 In order to use Service principle you will require
an Entra Id(Azure AD ) application and key vault
account.

o

 Making connection Public
o Click here to expand...
 Azure Key vault connection is not sharable by
default and it needs to be shared manually by
changing the type.
 This can be changed by going into the flow and
editing 'Run only users'
 

 Licensing
o Azure Key Vault connector comes as a premium license.
o More details To be added.
 Limitations
o As of now only 150 char can be encrypted in one Go.
o There is no out of the box bulk encryption option available in connector.
 Interesting read - Viginere Cipher encryption with Power Automate
o There is a way to write Viginere Cipher algorithm in Power automate
- https://www.damobird365.com/encryption-in-power-automate/
o Here encryption and decryption code can be written manually.
o This can be used for less sensitive data as it is does not have strongest
encryption but can be built without premium license.