HI, I spent lot of time gathering the information about the DKE, here are few things that are not clear in this article:
- DKE content can be stored everywhere - even on SharePoint/Teams/OD4B. The post means that M365 services cannot read, preview nor index the content. Microsoft does not have the key to be able to look into the documents. Therefore there is trade off - the disadvantages are clearly documented in Microsoft article (eDiscovery, Delve, etc.) Peter Forster
- The label using DKE must be set from Microsoft Desktop client on Windows with UL client installed (forget iOS, web, mobile, etc.)
- Even Outlook can use the same labeling system - but again, only Microsoft Outlook can use that label containing DKE. And for external recipient to be able to decrypt content, the special requirements for having access to DKE are in place.
- Configuring label https://docs.microsoft.com/en-us/azure/information-protection/rms-client/clientv2-admin-guide-customizations#configure-a-label-to-apply-smime-protection-in-outlook you can apply S/MIME protection instead for DKE for the emails, even when using label configured with DKE. But you have to have working S/MIME deployment.
- DKE Service must be built by a customer or purchased from some vendor (they are coming). The provided reference is just sample how it can be used, but the sample it GIT repository is not enterprise ready!
- If you built you own DKE Service, you are responsible for its High Availability!
- You also need to have a Key store (HW - HSM or SW - e.g., Azure Ket Vault)
- If you want to be 100% sure, you probably want to have HSM in On Premises with your own Highly Available DKE Service (running either in cloud or On Premises).
Microsoft