Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
Announcing public preview of Double Key Encryption for Microsoft 365
Published Jul 21 2020 08:00 AM 31.2K Views

The prevalence of remote work in today’s environment relies heavily on the sharing of information, challenging organizations to drive productivity while maintaining data privacy and regulatory compliance. Organizations in highly regulated industries such as financial services and healthcare face additional challenges. Some of their data (e.g., trade secrets, patents, and financial algorithms) needs the highest level of protection and controls. Failure to protect this mission-critical data not only tarnishes a company’s reputation, but can lead to a loss of customer trust and cost millions of dollars. It is more important than ever to maintain control of your highly sensitive data and prevent third-party access to it.


Microsoft 365 provides built-in data protection by encrypting customer data, both at rest and in transit. For added protection, we encrypt customer data at the application layer and provide flexible key management solutions. Customers can further protect their data based on content using Microsoft Information Protection’s classification and labeling capabilities. Adding to our data protection solutions, we are pleased to announce the public preview of Double Key Encryption for Microsoft 365. Double Key Encryption helps organizations protect their mission-critical data - a small volume of their overall data.


Highly regulated industries are increasingly focused on enhancing their data protection and privacy programs due to the rising threat of data breaches and identity theft[1]. In 2019, more than 60 percent of all leaked records exposed were those of financial services organizations[2], and healthcare organizations saw a 37 percent increase in data breaches[3]. With Microsoft Information Protection, we provide customers with a broad set of capabilities that helps them meet most of their data protection needs for organization-wide data. With Double Key Encryption for Microsoft 365, we now enhance the depth of protection for highly sensitive data to meet specialized requirements.


Double Key Encryption enables you to protect your highly sensitive data while keeping full control of your encryption key. It uses two keys to protect your data—one key in your control, and a second key is stored securely in Microsoft Azure. Viewing data protected with Double Key Encryption requires access to both keys. Since Microsoft can access only one of these keys, your protected data remains inaccessible to Microsoft, ensuring that you have full control over its privacy and security.  


With Double Key Encryption, you can:

  • Maintain full control of your key
  • Enjoy a consistent labeling experience
  • Simplify deployment


Maintain full control of your key

You can host the Double Key Encryption service used to request your key, in a location of your choice (on-premises key management server or in the cloud) and maintain it as you would any other application. Double Key Encryption puts you in control by providing you the ability to add necessary access controls to the Double Key Encryption service, and the flexibility to store the encrypted data on-premises or in the cloud. You can move your highly sensitive data to the cloud and be confident about preventing third-party access as you maintain full control of your key. Double Key Encryption allows you to store your data and key in the same location and help meet regulatory requirements across several regulations and standards such as the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), Russia’s data localization law – Federal Law No. 242-FZ, Australia’s Federal Privacy Act 1988, and New Zealand’s Privacy Act 1993.


Enjoy a consistent labeling experience

Storing your highly sensitive data in an on-premises infrastructure typically results not only in high costs, but an inconsistent user experience across different systems. Double Key Encryption uses the Azure Information Protection unified labeling client to provide a consistent labeling experience across your data estate. Admins and users with required permissions can create labels with Double Key Encryption in the Microsoft 365 compliance center, just like they can for any other sensitivity label type. Once the label is created, admins can assign policies to the labels in the Microsoft 365 compliance center. Users can protect their data by selecting the Double Key Encrypted label in the Sensitivity ribbon in Microsoft Office, providing a consistent experience.


DKE pic 1.png

 Figure 1: Creating a label with Double Key Encryption in the Microsoft 365 compliance center


DKE pic 3.png

 Figure 2: Labeling with Double Key Encryption in Word


Simplify deployment

Organizations often store their mission-critical data on-premises to maintain control and prevent unauthorized access. Implementing on-premises data storage and protection solutions warrants heavy investments in talent and resources to deploy, integrate, and maintain the complicated infrastructure. We are simplifying the deployment process for the Double Key Encryption service by providing implementation code with detailed instructions. You can access the code and instructions by cloning the Double Key Encryption repository from GitHub and update it with your tenant or on-premises Active Directory and public and private keys. Once your Double Key Encryption service is deployed and verified, you will be ready to create labels and protect your mission-critical data.


Get started today

Double Key Encryption is available as part of the Microsoft 365 E5 and Office 365 E5 suite. If you don’t have a Microsoft 365 E5 license, you can sign up for a trial. To get started with Double Key Encryption, navigate to GitHub to clone this repository and set up the Double Key Encryption service. To learn more, see this documentation on Double Key Encryption.


[1] Cap Gemini: Data privacy in financial services industry

[2] Infosecurity Magazine: Financial services breaches

[3] Infosecurity Magazine: Healthcare data breaches


Version history
Last update:
‎May 11 2021 02:03 PM
Updated by: