When deploying Sage CRM in an enterprise or hosted environment, ensuring secure data transmission between the CRM application and the SQL Server is a top priority. While Sage CRM itself does not impose encryption rules on database connections, it is fully compatible with Microsoft SQL Server configurations that enforce encryption for data in transit. This enables compliance with regulatory, cybersecurity, and internal policy requirements for secure data handling.
Test Environment Overview
We recently validated encrypted communication between the database tools on a Sage CRM application server and a remote SQL Server using the following environment:
Machine 1 (SQL Server):
- OS: Windows Server 2019
- SQL Server: Microsoft SQL Server 2019
Machine 2 (Client with CRM Tools):
- OS: Windows 11
- Tool: SQL Server Management Studio (SSMS) v18
Machine 1 and Machine 2 were configured in accordance with standard best practices for encryption, utilising Transparent Data Encryption (TDE) and TLS for SQL Server connections.
This setup simulates a typical deployment where the Sage CRM application server is on a separate machine from the SQL Server host. It confirmed that encrypted sessions between client tools and the database were established successfully.
Understanding What This Means for Sage CRM
Sage CRM connects to SQL Server using standard Microsoft libraries (ODBC/ADO). These support encrypted communication, provided the SQL Server instance is configured to enforce encryption and the client tools trust the server certificate. The Sage CRM application does not interfere with or limit these encryption mechanisms.
This makes encrypted SQL connections independent of Sage CRM version. Whether you're running Sage CRM 2023 R1 or 2025 R1, you can implement encrypted connections between the CRM application and SQL Server.
Encryption Requirements: SQL Server Editions and Operating Systems
|
Component |
Supported? |
Notes |
|
SQL Server Web/Standard/Enterprise |
|
Supports encrypted connections over TLS. TDE is available in Enterprise only. |
|
SQL Server Express |
|
Supports TLS connections; does not support TDE. |
|
Azure SQL (PaaS) |
|
TLS enforced by default; TDE enabled by default. |
|
Windows Server 2016+ / Windows 10+ |
|
Full support for modern TLS versions and certificate management. |
Note: TDE (Transparent Data Encryption) encrypts data at rest, protecting backups and physical files. TLS encryption protects data in transit between the CRM application and SQL Server.
Verifying SQL Connection Encryption
You can validate whether encryption is active using a query like:
SELECT c.session_id, c.encrypt_option, c.client_net_address, s.host_name, s.program_name FROM sys.dm_exec_connections c JOIN sys.dm_exec_sessions s ON c.session_id = s.session_id;
Look for encrypt_option = TRUE to confirm that encryption is working.
Documentation and Further Reading
- Encrypting Connections to SQL Server:
https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine - Transparent Data Encryption (TDE):
https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption - SQL Server Encryption Hierarchy:
https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/encryption-hierarchy - Sage CRM System Requirements:
https://help.sagecrm.com/
Conclusion
While encryption of data in transit is fundamentally a database and infrastructure consideration, Sage CRM is fully compatible with secure SQL Server deployments. By configuring TLS and, where appropriate, TDE, organisations can significantly strengthen their security posture without affecting Sage CRM functionality or performance.
If you're managing a Sage CRM environment in a sensitive or regulated industry, enabling encrypted connections should be part of your baseline configuration.