Document Encryption in SharePoint Portal Server

Does SharePoint Portal Server support document encryption?

SharePoint Portal Server 2003/Microsoft Office SharePoint Server 2007 can be configured to leverage Rights Managenent Service (RMS) which allows for the encryption of documents through RMS policy each time a document is requested from a Document Library, the RMS policy will be applied to documents whether they are requested through the Office client, WebDav or FrontPage - RPC.

* While SQL Server 2005 supports certificate-based encryption within the store, encryption will have to be manually implemented through stored procedures using the new SQL Server 2005 TSQL support and technologies for certificate management and encryption.  As a result, a SharePoint Portal Server implementation of these technologies is not supported.

Are encrypted documents indexed?

Windows RMS will provide the capability to envelope e-mail and Office Documents that provide limitations as to what actions a user can perform against that file through Information Rights Management (IRM) in Microsoft Office 2003 in addition to adding the capacity to add document expiration, check-in limitations, and more. For additional information surrounding IRM I recommed visiting: In Microsoft Office SharePoint Server 2007 server integration with RMS and integration with other RMS systems permits policies set on Document Libraries to apply to files that have left the site; with this in mind, the immediate benefit results in the content within the Document Library to be indexed by Microsoft Office SharePoint Server 2007.

Before you can leverage RMS and IRM you must deploy an RMS system in your environment; for additional information on planning and deployment of an RMS system, visit

Comments (4)

  1. To configure IRM for Microsoft Office SharePoint Server 2007, you will need to have a RMS server that is accessible by your Microsoft Office SharePoint Server 2007 server farm.  You can configure IRM in SharePoint 3.0 Central Administration by navigating to the Operations tab and then selecting Information Rights Management in the Security Configuration section.

  2. Chris says:

    To clarify… you are saying that I can have a document library with a specific RMS policy applied to it – so that when the documents leave that library, they are encrypted, but when they sit in the library (are in the SQL database), they are not encrypted, and are therefore able to be indexed.  Doesn’t this defeat the purpose of RMS?  The reason I ask this is that when I use RMS, I want the document encrypted at all times – not just when it has left a document library.  And while yes, it should be indexed, only those users who have been assigned the read or modify rights to that document via the RMS client should be able to see the information that has been indexed for that document.  How is this going to be addressed, or are these documents basically indexed for all to see via the portal search, and until they leave the library with the RMS policy set on them, there is no true IRM-based security on them?

  3. When you apply an IRM policy and the content lives in a SharePoint doc library, the security is set at the SharePoint level – using single item security settings. It’s only when the document leaves the SharePoint doc library is an IRM “wrapper” applied to it. This allows the content to get searched and appropriately security trimmed. If someone simply uploads an IRM document into a SharePoint document library, that content will not get crawled… except for its associated metadata that lives in the SharePoint library.  Hopefully this helps to answer the question.

  4. CK Quek says:

    how (the detailed steps) do you configure S harePoint Portal Server 2003/Microsoft Office SharePoint Server 2007 to leverage Rights Managenent Service (RMS) which allows for the encryption of documents through RMS policy each time a document is requested from a Document Library ?

Skip to main content