Setting Data Encryption

Setting Data Encryption

Data encryption is a way to safeguard personal or sensitive information like credit card details, backup phone numbers, personal identification numbers etc. that are stored in your CRM database. It prevents the data from being stolen or lost by converting the plain (or readable) text into cipher (or non-readable) text that is accessible only to the authorized parties. Even if a potential hacker gets a hold of the data, the information stored in the cipher text is non-readable.  

In Zoho CRM you can encrypt custom fields using AES. Encrypting the data does not come in the way of the effective and quick use of Zoho CRM, by authorized users.  
Availability 
Permission Required
Users with the Administrator profile can access this feature.
Check Feature Availability and Limits 

Feature Specifications

Field and Module-based specifications

  • Only Custom fields  (new and existing) can be encrypted. Once a field is marked as Unique, it cannot be encrypted. Similarly, once a field is encrypted you cannot mark it as Unique. 
  • The field types which support encryption are  Single Line, Email, Phone , and  Number .
  • Encryption can be disabled for a field at any time.
  • In  Lead Conversion Mapping , data can be converted and stored only between two encrypted fields.
  • Encrypted fields can be used as inputs in  Formula fields .

Handling encrypted data

  • Find & Merge  and  Deduplication  are supported for encrypted fields.
  • Any data imported to encrypted fields will be encrypted by default and exported data are decrypted.
  • Encrypted fields can be included in  Web forms .
  • Encrypted field can be displayed in  Reports  as a column, but cannot be used in Criterias and Columns to Total.
  • Encrypted fields can be used as inputs in  custom functions , and as merge fields in  templates .
  • APIs  are supported for encrypted data.
  • Encrypted fields can be used in  integrations  too. Utilizing the information in integrations are entirely at the user's risk.

Limitations and Trade-offs

  • Only full-text search is supported in global search. For instance, if the encrypted data is "Joseph Wells," the encrypted field record does not show in the results of a search for "Joseph."
  • Encrypted fields cannot be used in Advanced Filters
  • Encrypted fields cannot be found using Search by Criteria
  • Encrypted fields are not visible in Sort option.
  • Encrypted information is only stored in the  crm.zoho.com  domain. Use the encrypted information in other domains or third-party services at your own discretion.
  • In the  Forecasts  module, encrypted fields cannot be used as  Target Fields.
Encryption can be used in two situations:
  1. Encryption in Transit 
  2. Encryption at Rest (EAR) 

Data is usually encrypted when it is in transit (transferred from one place to another). This is to prevent others from accessing the data en route. This provides a considerable level of security for the information.

Encryption at Rest (EAR)

Although the encryption of data during transit provides good security, encryption of the same when it is stored in the servers provides an even higher level of security. EAR prevents any possible security leaks or losses when it is in storage.

This method of encryption is done using the  AES-256  protocol. Symmetric encryption algorithm, which uses 128-bit blocks and 256-bit keys, is used for encrypting/decrypting the data. It is one of the more advanced methods of encryption.

Many modes of operation of AES have been defined. Some of them are:

  • Electronic Codebook (ECB)
  • Cipher Block Chaining (CBC)
  • Cipher Feedback (CFB)
  • Output Feedback (OFB)
  • Counter (CTR)

At Zoho, we encrypt your data using the Counter (CTR) mode.

Keys are the means through which you can retrieve the encrypted data. The key used to convert the data from plain text to cipher text is called Data Encryption Key(DEK). The DEK is further encrypted using the KEK (Key Encryption Key), thus, providing yet another layer of security.

Hence, the data in your CRM is equipped with three layers of security.

  • Encrypted data (Cipher text) is stored in the Zoho Services Database.
  • Encrypted DEKs are stored in KMS (Key Management System).
  • Encrypted KEKs are stored in IAM (Identity and Access Management) servers.

The retrieval of data is on three levels. Hence, the level of security is increased considerably.

Encryption Process at Zoho CRM 


  1. The encryption agent determines, from the metadata, whether to encrypt the field before storing it in the database.
  2. The encryption agent checks the cached memory for matching DEKs. If no matching DEKs are found, the encryption agent requests a DEK from the KMS.
  3. The KMS checks its database for a matching encrypted DEK.
    • If the matching encrypted DEK is found, the KMS decrypts the encrypted DEK and returns it to the encryption agent.
    • If no matching DEK is found, the KMS generates a DEK. This new DEK is encrypted with KEKs and stored in the KMS servers.
  4. The agent receives the Data Encryption Key (DEK), then encrypts/decrypts the data using 256-bit AES encryption.
  5. The cipher text (the encrypted data) is then stored in CRM (in the Zoho Services Database/File System).

Setting up data encryption

You can set data encryption only for the custom fields in the layout. You can encrypt these fields either while creating or editing them.
Note 
  1. Data encryption is supported for the Leads, Accounts, Contacts, Deals, Linking, Users and custom modules. 

To encrypt/decrypt custom fields:

  1. Go to  Setup > Customization > Modules and Fields > [Select the module] .
  2. In the module layout editor, go to the field you wish to encrypt, click the  Settings icon  and select  Edit Properties.
      
  3. In the  Field Properties  popup, select the  Encrypt Field  checkbox.
      
  4. Click  Done.
  5. Save  the layout.

    • Related Articles

    • PII & Encryption

      Zoho Recruit provides the means to protect sensitive and confidential user data via encryption. Encryption is the process of encoding information and making the information accessible only by the authorized parties. The encryption process converts ...

    • Is encryption of data mandatory under GDPR?

      No, GDPR doesn't mandate the encryption of customers' data. However, Zoho CRM allows you to encrypt fields manually in the Field Properties page.

    • Setting up Data Sharing Rules

      By default, access rights to Workerly records is set as private so that the record owner can oversee the Workerly data. However, using the Data Sharing Rules, you can extend the access rights to users belonging to other roles and groups. Once the ...

    • Setting up Data Sharing Rules

      By default, access rights to CRM records is set as private so that the record owner and his/her manager can oversee the CRM data. However, using the Data Sharing Rules, you can extend the access rights to users belonging to other roles and groups. ...

    • Setting up Data Sharing Rules

      The Data Sharing Rules, allow you to define access rights for users to the various modules in your help desk. You can provide the following types of access levels in Zoho Desk modules: Private: Only the record owner and his/her superior can view the ...