cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcing public preview of Double Key Encryption for Microsoft 365
By
Benjy Levin
Published Jul 21 2020 08:00 AM 30.5K Views
Benjy Levin
Microsoft
‎Jul 21 2020 08:00 AM

Announcing public preview of Double Key Encryption for Microsoft 365

‎Jul 21 2020 08:00 AM

The prevalence of remote work in today’s environment relies heavily on the sharing of information, challenging organizations to drive productivity while maintaining data privacy and regulatory compliance. Organizations in highly regulated industries such as financial services and healthcare face additional challenges. Some of their data (e.g., trade secrets, patents, and financial algorithms) needs the highest level of protection and controls. Failure to protect this mission-critical data not only tarnishes a company’s reputation, but can lead to a loss of customer trust and cost millions of dollars. It is more important than ever to maintain control of your highly sensitive data and prevent third-party access to it.

 

Microsoft 365 provides built-in data protection by encrypting customer data, both at rest and in transit. For added protection, we encrypt customer data at the application layer and provide flexible key management solutions. Customers can further protect their data based on content using Microsoft Information Protection’s classification and labeling capabilities. Adding to our data protection solutions, we are pleased to announce the public preview of Double Key Encryption for Microsoft 365. Double Key Encryption helps organizations protect their mission-critical data - a small volume of their overall data.

 

Highly regulated industries are increasingly focused on enhancing their data protection and privacy programs due to the rising threat of data breaches and identity theft[1]. In 2019, more than 60 percent of all leaked records exposed were those of financial services organizations[2], and healthcare organizations saw a 37 percent increase in data breaches[3]. With Microsoft Information Protection, we provide customers with a broad set of capabilities that helps them meet most of their data protection needs for organization-wide data. With Double Key Encryption for Microsoft 365, we now enhance the depth of protection for highly sensitive data to meet specialized requirements.

 

Double Key Encryption enables you to protect your highly sensitive data while keeping full control of your encryption key. It uses two keys to protect your data—one key in your control, and a second key is stored securely in Microsoft Azure. Viewing data protected with Double Key Encryption requires access to both keys. Since Microsoft can access only one of these keys, your protected data remains inaccessible to Microsoft, ensuring that you have full control over its privacy and security.  

 

With Double Key Encryption, you can:

  • Maintain full control of your key
  • Enjoy a consistent labeling experience
  • Simplify deployment

 

Maintain full control of your key

You can host the Double Key Encryption service used to request your key, in a location of your choice (on-premises key management server or in the cloud) and maintain it as you would any other application. Double Key Encryption puts you in control by providing you the ability to add necessary access controls to the Double Key Encryption service, and the flexibility to store the encrypted data on-premises or in the cloud. You can move your highly sensitive data to the cloud and be confident about preventing third-party access as you maintain full control of your key. Double Key Encryption allows you to store your data and key in the same location and help meet regulatory requirements across several regulations and standards such as the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), Russia’s data localization law – Federal Law No. 242-FZ, Australia’s Federal Privacy Act 1988, and New Zealand’s Privacy Act 1993.

 

Enjoy a consistent labeling experience

Storing your highly sensitive data in an on-premises infrastructure typically results not only in high costs, but an inconsistent user experience across different systems. Double Key Encryption uses the Azure Information Protection unified labeling client to provide a consistent labeling experience across your data estate. Admins and users with required permissions can create labels with Double Key Encryption in the Microsoft 365 compliance center, just like they can for any other sensitivity label type. Once the label is created, admins can assign policies to the labels in the Microsoft 365 compliance center. Users can protect their data by selecting the Double Key Encrypted label in the Sensitivity ribbon in Microsoft Office, providing a consistent experience.

 

DKE pic 1.png

 Figure 1: Creating a label with Double Key Encryption in the Microsoft 365 compliance center

 

DKE pic 3.png

 Figure 2: Labeling with Double Key Encryption in Word

 

Simplify deployment

Organizations often store their mission-critical data on-premises to maintain control and prevent unauthorized access. Implementing on-premises data storage and protection solutions warrants heavy investments in talent and resources to deploy, integrate, and maintain the complicated infrastructure. We are simplifying the deployment process for the Double Key Encryption service by providing implementation code with detailed instructions. You can access the code and instructions by cloning the Double Key Encryption repository from GitHub and update it with your tenant or on-premises Active Directory and public and private keys. Once your Double Key Encryption service is deployed and verified, you will be ready to create labels and protect your mission-critical data.

 

Get started today

Double Key Encryption is available as part of the Microsoft 365 E5 and Office 365 E5 suite. If you don’t have a Microsoft 365 E5 license, you can sign up for a trial. To get started with Double Key Encryption, navigate to GitHub to clone this repository and set up the Double Key Encryption service. To learn more, see this documentation on Double Key Encryption.

 

[1] Cap Gemini: Data privacy in financial services industry

[2] Infosecurity Magazine: Financial services breaches

[3] Infosecurity Magazine: Healthcare data breaches

 

19 Comments
dipendas1979
Brass Contributor
‎Jul 22 2020 07:40 AM
‎Jul 22 2020 07:40 AM

@Benjy Levin Is this applicable to only documents labelled using "Data Classification" or Emails as well ? 

0 Likes
Like
dotASM
Copper Contributor
‎Jul 24 2020 03:04 AM
‎Jul 24 2020 03:04 AM

 

@dipendas1979

MIP and OME uses the same RMS service in the background for protection/encryption. You should be able to deploy the Sensitivity Label, that uses the Double Key Encryption (I expect it's an RMS Template) to Exchange Online.
But keep in mind that this will be very tricky with external receipients, as you will need to authorize them to access your key to be able to read encrypted mails. Not sure you want that though :)

For Emails, I think it is better to stay with OME and/or S/MIME (for internal receipients, which actually is the most safe option in regards to third party access to encrypted mails compared to OME = RMS with MS Managed Key)

GeorgW
Copper Contributor
‎Jul 28 2020 05:41 AM
‎Jul 28 2020 05:41 AM

Is this an development based on "Customer Key"? Will it replace "Customer Key"?

0 Likes
Like
Benjy Levin
Microsoft
‎Aug 11 2020 11:33 PM
‎Aug 11 2020 11:33 PM

@GeorgW this is unrelated to Customer Key. It is more related to HYOK - Hold Your Own Key. 

0 Likes
Like
Benjy Levin
Microsoft
‎Aug 11 2020 11:35 PM
‎Aug 11 2020 11:35 PM

@dipendas1979 as part of this Public Preview, we have currently only announced support for documents (WXP files).

0 Likes
Like
GeorgW
Copper Contributor
‎Aug 12 2020 02:13 AM
‎Aug 12 2020 02:13 AM

@Benjy Levin : Ok, I see. So "Customer Key" offers the customer to bring his key (BYOK) to the encryption in the Cloud and "Double Key Encryption" give the customer the option to hold his key (HYOK) for the encryption in the Cloud anywhere he want.

0 Likes
Like
MT-AV
Copper Contributor
‎Aug 13 2020 12:05 PM
‎Aug 13 2020 12:05 PM

@GeorgW Customer Key is for O365 service encryption of data-at-rest. Double Key Encryption is a new option for Azure Information Protection and sort of a hybrid between BYOK and HYOK for AIP.

0 Likes
Like
duokey
Copper Contributor
‎Sep 28 2020 04:31 AM
‎Sep 28 2020 04:31 AM

@Benjy Levin DKE works like a charm and really add value for regulated customer. I've tested using Mobile app (Office WORD, EXCEL ...) but seems that native mobile apps are not aware of DKE. When this will work with the mobile app ? Can it work on Microsoft E3 or Azure Information Protection P2 at least ? 

0 Likes
Like
andrevrodrigues
Copper Contributor
‎Jan 27 2021 04:19 AM
‎Jan 27 2021 04:19 AM

Hi, 

 

What's the best way to verify the use of DKE within a protected document?

How can I verify if the DKE was applied with success to the document/email?

 

Thanks

0 Likes
Like
Benjy Levin
Microsoft
‎Feb 02 2021 04:19 PM
‎Feb 02 2021 04:19 PM

@andrevrodrigues you can open the document in notepad and search for "Microsoft.DKE.Key" -- the presence of this would mean that the document was protected using DKE. Alternatively, you can try opening the content in an older version of Office that does not support DKE and should see a failure when trying to decrypt the content. 

andrevrodrigues
Copper Contributor
‎Feb 03 2021 01:39 AM
‎Feb 03 2021 01:39 AM

Hi @Benjy Levin, thank you for your message, but I had a problem at the moment, I can't even apply a label with the DKE to the documents.

Every time I try I get multiple errors on a different scenarios:

Create a new Word doc - "Word cannot save or create this file. Make sure that the disk you want to save the file on is not full, write-protected, or damaged".

Substitute older label to DKE label in a doc. - The document can't save successfully.

Apply a label to pdf file - I can't open after, even being Owner

 

I have:

  • Microsoft 365 Apps for enterprise
  • Enterprise Mobility + Security E5

 

I already refresh the templates, multiple times.

0 Likes
Like
Benjy Levin
Microsoft
‎Feb 03 2021 03:02 PM
‎Feb 03 2021 03:02 PM

@andrevrodrigues please ensure that you are using the correct version of the Office Client that supports DKE as per https://aka.ms/dkedocs

and that you have configured your DKE service correctly, and modified the registry key settings for the Office Clients as mentioned in the documentation. If you have any further issues or require additional assistance, please reach out to our IP community on Yammer or open a support ticket. 

0 Likes
Like
duokey
Copper Contributor
‎Feb 03 2021 10:36 PM
‎Feb 03 2021 10:36 PM

@andrevrodrigues , I know when this kind of errors may happens

- user has no access to your DKE endpoint

- issue on the keys access control

your DKE endpoint is not configured correctly on your Azure tenant for user_imporsonation or callback URL maybe wrong

 

0 Likes
Like
andrevrodrigues
Copper Contributor
‎Feb 08 2021 06:42 AM
‎Feb 08 2021 06:42 AM

@Benjy Levin I cannot find the specific path, as indicated:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIPC\flighting] -> I only have the CurrentVersion, which is 1.0.4114.0 and Server
and

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\flighting] -> I only have the CurrentVersion, OfficeClientVersion, which is 1.0.2456.0, RMSOServerVerification and Server.

0 Likes
Like
andrevrodrigues
Copper Contributor
‎Feb 08 2021 06:53 AM
‎Feb 08 2021 06:53 AM

@duokey I have Service Administrator role on app service and i'm Owner on App registration.

 

"your DKE endpoint is not configured correctly on your Azure tenant for user_imporsonation or callback URL maybe wrong" - how can I validate?

I follow all the steps at the Microsoft Docs: Double Key Encryption (DKE) - Microsoft 365 Compliance | Microsoft Docs

0 Likes
Like
Deleted
Not applicable
‎Feb 21 2021 05:54 PM
‎Feb 21 2021 05:54 PM

@Benjy Levin  has this gone into GA now?

0 Likes
Like
Benjy Levin
Microsoft
‎Feb 22 2021 10:31 AM
‎Feb 22 2021 10:31 AM

@Deleted Yes! See  https://aka.ms/DKEdocs for more info. 

0 Likes
Like
andrevrodrigues
Copper Contributor
‎Mar 26 2021 11:23 AM
‎Mar 26 2021 11:23 AM

Hi @Benjy Levin,

 

In the available documentation about DKE configuration, there is no reference about migrating BYOK protected files to DKE labels, is it possible? As documented for HYOK protected files.

 

Thanks

0 Likes
Like
Benjy Levin
Microsoft
‎Apr 02 2021 12:51 PM
‎Apr 02 2021 12:51 PM

@andrevrodrigues yes this relabeling should be compatible with DKE-based labels.

Version history
Last update:
‎May 11 2021 02:03 PM
Updated by: