Decrypt DKE protected content by Super User

In today's digital age, safeguarding sensitive information is paramount for every organization. One of the most advanced methods to ensure data security is through Double Key Encryption (DKE) protection from the Microsoft Purview solution. This encryption technique uses two keys to protect data: one key is stored securely within the organization's control, while the second key is managed by Microsoft Azure.

However, decrypting DKE protected content by the organization without user interference is a complex process, especially when dealing with highly sensitive information. This is where the super user account comes into play. The super user account is a privileged account that should be configured with the necessary permissions to decrypt DKE-protected content.

Setting up DKE involves several steps, including deploying the DKE service, creating sensitivity labels, and configuring client devices. Once these steps are completed, the super user account can be used to decrypt the DKE protected content, providing a secure and efficient way to manage sensitive information.

Why Use a Super User Account to Decrypt DKE protected content?

A super user always has the Rights Management Full Control usage right for documents protected by your organization’s Azure Information Protection tenant. This means that the super user account will have access to the first key stored in the Azure tenant. However, this alone is not sufficient to decrypt documents protected by DKE. To gain decryption access, administrators need to ensure that the super user also has access to the second key, which is stored securely within the organization. Like any other user - the super user also needs to be granted access for using the DKE key.

For example, organizations can use this feature in the following scenarios:

• • An employee leaves the organization, but highly confidential documents encrypted with DKE labels need to be accessed by directors or other VIP users.
  • An IT administrator needs to remove the current DKE protection policy configured for files and apply a new protection policy.
  • Administrators need to bulk decrypt files for auditing, legal, or other compliance reasons.

How it works

Please find the below architecture diagram which details the decryption flow of DKE.

Figure 1: Architecture Diagram

1. Microsoft Office client or MPIP client running under a super user account (sends the double encrypted part of the metadata that controls access (aka double encrypted content key) to Azure Information Protection
2. Azure Information Protection checks Azure Active Directory to check access and if the user is in EntraID and configured with super user access, Azure Information Protection authorizes access and decrypts the part of the metadata controlling access using your key in Azure Information Protection. Thereby, removing the outer layer of encryption. The part of metadata controlling access to the content is now encrypted with only the DKE key
3. Microsoft Office client or MPIP client sends the encrypted part of metadata that controls access to the content to DKE service to decrypt using customer’s private key.

• • If this is the first time accessing the encrypted document or if cached access (End-user license) has expired, or have changed key in Azure, the DKE service will receive an empty request and will deny the access to the content from Microsoft Office client due to authentication issue.
  • If the above happens, the DKE service sends a signal to the Microsoft Office client asking for authentication information. The Microsoft Office client sends a request to a token service in EntraID which returns the JSON web token (JWT) with adequate information to the Microsoft Office or MPIP client. The client then makes a second request to the DKE service and send the encrypted part of metadata that controls access to content (aka content key) with the JWT token it received from Azure.

4. DKE service decrypts the encrypted part of the metadata controlling access to the content using the private key in the DKE service and sends the decrypted content key back to the client

Set up Super User Account to Decrypt DKE protected content

Please refer to the workflow diagram below, which outlines the configuration steps.

Figure 2: Workflow

Step 1: Configure the Super User Account in Azure RMS service using PowerShell

1. Install AIP module by running Import-Module AIPService
2. Connect the AIP service into your tenant by running Connect-AipService
3. Enable the Super User feature by running Enable-AipServiceSuperUserFeature
4. Configure the admin account into Super User Add-AipServiceSuperUser -EmailAddress <Mention the primary email address or user principal name>
5. Validate the configuration by running Get-AipServiceSuperUser

Step 2: Grant permission to Super User Account in DKE service

• I have added Super User account as part of Authorized Email Address in DKE service

Figure 3: Provide Authorization

Step 3: Login as Super User Account in Office or MPIP client to decrypt the file.

• Try to open the DKE protected document

Figure 4: End User encrypted Document

• Office application prompt for authentication
• Provide Super User credentials

Figure 5: Provide Super User Cred

• You will be able to decrypt the document

Figure 6: Super User able to Decrypt the Document

Conclusion

By leveraging the Super User account, organizations can ensure that they can decrypt DKE-protected documents without requiring explicit permissions on the label. This provides a secure and efficient way to manage sensitive information, especially in emergency situations where immediate access to encrypted data is necessary. Understanding and implementing this process is essential for any organization looking to enhance their data security and protect their valuable information.

References

The following table contains links to additional information that may provide context for the design and plan.