Securosys365 - Knowledge Base
Capabilities
The Securosys365 - Cockpit enables you to manage lifecycle of keys and use them to perform cryptographic operations.
| Capability | Description |
|---|---|
| Key Management | Create and control the lifecycle of Asymmetric DKE keys in Securosys CloudHSM (all clusters, worldwide) |
| DKE Web Service | Create and register DKE Web Service apps |
| Cryptographic Operations | Encryption and decryption using asymmetric DKE keys |
| Multi Tenancy | Manage multiple Organization Units within a Tenant or SubTenant |
| RBAC | Define role-based access control policies to enhance the DKE Web Service access |
| Hardening | CSRF, DoS and robot attack protection |
| Authentication | Two-factor authentication (Google Authenticator, Free OTP, Microsoft Authenticator, E-Mail) 2FA and support for any OpenID Connect identity provider (Okta, Google Identity, Azure AD, ADFS, Active Directory, Big-IP F5, Keycloak) |
| Statistics | Statistics on key usage |
| Audit | Complete audit trails for key generation and usage |
| Logging | Log Management (Splunk, Datadog adapters) |
Supported Platforms (Double Key Encryption)
Microsoft 365 Apps (Word, Excel, PowerPoint)
For the latest details on Word, Excel, and PowerPoint, see: 🔗 Sensitivity Label Capabilities in Word, Excel, and PowerPoint
(Search for "Double Key Encryption")
| Windows | Mac | iOS | Android | Web | Office LTSC 2021 |
|---|---|---|---|---|---|
| Current Channel: 2307+ | 16.85+ | 2.85+ | 2.85+ | Not available | 16.0.18227+ |
Outlook
For the latest details on Outlook, see: 🔗 Sensitivity Label Capabilities in Outlook
(Search for "Double Key Encryption")
| Windows | Mac | iOS | Android | Web | New Outlook for Windows |
|---|---|---|---|---|---|
| Current Channel: 2307+ | Not available | Not available | Not available | Not available | Not available |
DKE Limitations
Services that you can not use with DKE encrypted content.
- Office Web Apps including coauthoring functionality
- Mail flow rules including anti-malware and spam that require visibility into the attachment
- Microsoft Delve
- eDiscovery
- Content search and indexing
- Copilot
DKE encrypted data isn't accessible at rest to Microsoft 365 services including Copilot. While you're using your DKE encrypted data in Office, the data still isn't accessible to Copilot, and you can't use Copilot in apps while you're using DKE encrypted data.
Licensing
Securosys365 - DKE is an enhancement built on top of Microsoft Purview Information Protection.
The following licenses apply:
- Securosys365 - DKE (DKE Web Service and HSM Key Management)
- Microsoft (MPIP - DKE functionality)
Securosys365 - DKE
Prices are calculated per Seat (User of Double Key Encryption identified by the EntraID/UPN) and are communicated upon request.
All features are included in all Bundles.
| Name | Description |
|---|---|
| Securosys 365 DKE Basic Bundle, incl. 5 Seats and 1 DKE (Microsoft IMGU) Service (36+ months) | Monthly subscription fee for Securosys 365 DKE Service (Double Key Encryption as a Service), Basic Bundle incl. 5 users and 1 Independent Microsoft Guest User, 3-years minimum subscription, as per service description |
| Securosys 365 DKE, License Package of 5 Seats | Monthly subscription for Securosys 365 DKE (Double Key Encryption as a Service), package of 5 user, 1-year minimum subscription, fee per month |
| Securosys 365 DKE, License Package of 50 Seats | Monthly subscription for Securosys 365 DKE (Double Key Encryption as a Service), package of 50 user, 1-year minimum subscription, fee per month |
| Securosys 365 DKE, Package of 3 Additional Independent Microsoft Guest Users/DKE Users | Monthly subscription for Securosys 365 DKE (Double Key Encryption as a Service) Package of 3 Additional Independent Microsoft Guest Users, 1-year minimum subscription, fee per month |
| Securosys 365 DKE, Package of 10 Additional Independent Microsoft Guest Users/DKE Users | Monthly subscription for Securosys 365 DKE (Double Key Encryption as a Service) Package of 10 Additional Independent Microsoft Guest Users, 1-year minimum subscription, fee per month |
| Securosys 365 DKE Additional CloudHSM Partition for DKE Segregation | Monthly subscription fee, 1-year minimum subscription |
| Securosys 365 DKE Set-Up Fee | Securosys 365 DKE Initial Set-Up Fee, one-off |
Microsoft Information Protection
Double Key Encryption builds on top of Microsoft Purview Information Protection and is licensed under the following:
| Microsoft License |
|---|
| Office 365 E3 + Microsoft 365 E5/A5/F5/G5 Information Protection and Governance + EMS E3 |
| Microsoft 365 E5/A5/F5/G5 Compliance + Microsoft 365 F5 Security & Compliance |
| Microsoft 365 E5/A5/F5/G5 Compliance + Microsoft 365 F5 Security & Compliance |
| Microsoft 365 E5/A5/F5/G5 Information Protection and Governance |
| Microsoft 365 E5/A5/F5/G5 Information Protection and Governance |
| Office 365 E5 + EMS E3 |
| Microsoft 365 E5/A5/G5 |
Service Architecture & Hosting
Securosys - CloudHSM
Operated from Switzerland, Securosys365 DKE is globally accessible 24/7 as a cloud-based service.
Securosys365 uses Securosys CloudHSM as the key store. Available CloudHSM Cluster Locations:
- Switzerland (ch01-api.cloudshsm.com, ch02-api.cloudshsm.com)
- Germany (de01-api.cloudshsm.com, ch01-api.cloudshsm.com)
- United States (us01-api.cloudshsm.com, us02-api.cloudshsm.com)
- Singapore (sg01-api.cloudshsm.com, ch01-api.cloudshsm.com)
For more information, on CloudHSM Clusters check here.
Securosys365 - DKE
Securosys365 – DKE (Cockpit and DKE Service) is deployed in Google Cloud, not in Azure. Its high-availability architecture allows for instant deployment within minutes, with on-premises options (upon request) also available.
Add a new Azure Domain Name to your DKE Web Service (App)
After adding the Azure Domain Name, you must redeploy the app for the changes to take effect—otherwise, they won't be applied.
This process only takes a few seconds.
Steps:
- Go to Apps → "App name"
- Click Actions → Disable
- Then click Actions → Enable / Deploy
Sample Architecture
DKE Web Service Authentication Explained
To process an Encrypt or Decrypt request, the DKE Web Service must first verify the identity of the user making the request.
Here’s how it works:
- The user sends a request to encrypt or decrypt the Document (CEK).
- This request includes a JWT (JSON Web Token), which serves as a digital ID.
- Since authentication is tied to the user's Office 365 account, Microsoft Entra ID (formerly Azure AD) is used as the Identity Provider. (The user's identity is managed in the customer’s Microsoft tenant.)
- To validate the JWT, the DKE Web Service needs permission (consent) from the customer tenant to access and verify the user’s identity against Entra ID.
This setup ensures that only authorized users—confirmed through the customer’s Microsoft environment—can perform encryption or decryption using the DKE.
Enterprise Application API Permissions (Microsoft Graph)
| Claim Value | Permission |
|---|---|
| View users' email address | |
| profile | View users' basic profile |
| User.Read | Sign in and read user profile |
Cloud Exit
A Cloud Exit can be performed using a DKE re-labeling script.
This allows either replacing the current document label with a new one or removing it entirely.