Skip to main content

Double Key Encryption (DKE)

Introduction & Concepts

Modern work environments, especially those using cloud services, require advanced data protection. While standard permissions and encryption offer baseline security, Microsoft Purview Information Protection (MPIP) strengthens it by encrypting data and embedding usage rights directly with the information. This protection persists wherever the data goes and allows compatible services (e.g., indexing, malware scanning) to function securely.

For highly sensitive data, even stronger safeguards are needed—particularly protection from the cloud provider itself. This is where Double Key Encryption (DKE) comes in.

The Challenge: Protecting Sensitive Data in the Cloud

When sensitive data is stored in the cloud, standard security measures may not meet the confidentiality requirements of regulated industries. These organizations often must ensure that data remains inaccessible even to the cloud provider.

Limitations of Standard Encryption Methods

  • Cloud providers typically manage the encryption keys.
  • They have the technical ability to access encrypted data.
  • Shared control of keys poses regulatory and compliance challenges.

Microsoft’s Solution: Microsoft Purview Information Protection (MPIP)

Before exploring DKE, it's essential to understand MPIP/Azure RMS, which DKE extends.

  • Core Functionality: MPIP is a client-side encryption system that automates key management, streamlining protection compared to traditional PKI. It uses Microsoft Entra ID for identity and authorization based on user email or UPN. MPIP enforces usage restrictions—like preventing printing or setting expiry dates—via sensitivity labels, and these controls travel with the file.
  • Key Components:
    • Microsoft Entra ID: Manages identities and tenant separation.
    • Purview Information Protection Service: Handles sensitivity labels and protection settings.
    • Azure Rights Management (Azure RMS): Manages Microsoft-controlled cryptographic keys and processes encryption requests.
    • Clients: Apps (e.g., Microsoft 365) or services that access protected content.
    • (DKE Specific) DKE Web Service: A customer-controlled component discussed in the DKE flow.

Double Key Encryption (DKE)

Double Key Encryption (DKE) builds directly on top of Microsoft Purview Information Protection. It achieves maximum data confidentiality and control by introducing a second encryption key. DKE offers the highest level of information control within Microsoft 365 for specific, high-sensitivity use cases by adding a customer-controlled key. Standard MPIP/Azure RMS provides the essential foundation for identity, rights management, and the Microsoft-managed key upon which DKE builds. This second key ensures that Microsoft, or any cloud provider, cannot decrypt or access protected content, even if requested legally or administratively.

What is Double Key Encryption?

  • Two Keys: Content is protected using two keys. One key is managed by Microsoft (as with standard MPIP), and the second key is held exclusively by you, the customer managed in Securosys365 - Cockpit and protected by Securosys Cloud HSM (Hardware Security Module).
  • Customer Control: Microsoft has no access to your private, second key. Therefore, Microsoft cannot decrypt DKE-protected content.
  • Data Privacy by Design: Securosys can never access your document content. Only the content encryption key is decrypted within the Securosys CloudHSM; the document itself is never sent to Securosys systems at all times, ensuring that your content stays private and secure.

Securosys365 - DKE

Securosys 365 DKE is a Swiss cloud service offering Double Key Encryption to encrypt Microsoft 365 Office documents with Hardware Security Module protected keys. It allows users to manage their DKE Web Service in a modern web application with strong access control enhancements.

The Securosys 365 DKE solutions provides:

  • the customer-controlled private key (DKE Key Management)
  • the deployment of DKE Web Service apps.
  • control of DKE service access!

Critical Security Considerations (for DKE)

Important: DKE provides powerful control, but its security effectiveness is entirely dependent on your organization's ability to secure its components. Securosys 365 - DKE employs strong security controls and helps you beyond standard implementations to mitigate these risks - more information can be found in our Securosys365 - RBAC page.

  • Protect Your Key: The primary security requirement for DKE is rigorously safeguarding the customer-controlled private key managed by your DKE service. If this key is compromised, the core benefit of DKE is lost.
  • Protect Identities: Just as critical is protecting the user and administrator identities authorized to access the DKE service. Compromised identities could be used to legitimately request the customer key and bypass DKE protection.
  • Identity Provider Risk: Using the same identity provider (e.g., Azure Active Directory) for both standard Microsoft 365 access and authenticating to the DKE service introduces significant risk. A single identity compromise could potentially grant access to both keys. Carefully evaluate this risk based on your threat model. Further actions can be taken such as additional strict enforcement rules may apply by Securosys365 - Role Based Access Controls.

How is Double Key Encryption (DKE) used?

ImageFloat_Right

DKE is a feature within Microsoft Purview Information Protection (leveraging the underlying Azure Rights Management service, or Azure RMS). It adds a second layer of protection controlled entirely by the customer.

DKE consists of two main parts:

  1. Client Functionality: Integrated directly into Microsoft 365 Apps for desktop (like Word, Excel, PowerPoint, Outlook). This allows users to apply DKE protection.

  2. DKE Web Service: A webserver component operated by Securosys and controlled by the customer. This service manages the customer's private key and DKE Web Service. It is easily deployed in Securosys CloudHSM using the Securosys365 - DKE Cockpit.



Summary

Issue/FeatureStandard MPIPDKE (with Securosys365)
Who holds the encryption key?Microsoft (cloud provider)Microsoft + Customer (Securosys HSM)
Can Microsoft access the content?Technically possible (with limitations)No access possible
Control over sensitive dataShared controlExclusive customer control
Compliance with stringent data regulationsLimited (depends on jurisdiction)Enhanced compliance

Additional Resources

What's Next

For a smooth start to setup Double Key Encryption with Securosys365 - DKE:

  • Consult the Get Started for a comprehensive work task listing.
  • Consult the Operations page for a Key Management and DKE Web Service Management guides.
  • For in-depth instructions about Securosys365 - DKE, read and follow the DKE - Knowledge base.
Last updated on