Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Double Key Encryption details

Copper Contributor

I would like to find out how long does a machine keep the content key after it gets decrypted via the Double Key Encryption API. Is it configurable? Is it possible to flush those keys? If a document is protected using a specific ID of a key, when will it be rotated to the latest version of that key? Is it possible to force this?

1 Reply

Hi @jjakub 
The content key is used to decrypt MIP-protected documents, and it is typically stored in the user's computer memory while the document is being accessed. Once the document is closed, the key is usually cleared from the memory.
If you are talking about Offline consumption, last time I checked you can not consume DKE-protected document when you do not have connection to the second key.
The document will stay protected with old key ID (second key) till you consume and save the document again.
Thanks!