This blog post is intended to show how to publish Double Key Encrytion (DKE) reference implementation in an on-premises Windows Server with IIS – keeping full control over the key and the service.
Double Key Encryption (DKE) is a new feature, which enables customers to protect their most confidential content using a key they control, thereby allowing them to comply with regulatory requirements. DKE ensures that Microsoft cannot access their data under any circumstances.
The quickest way to get the DKE reference implementation running is by publishing it to Azure – detailed steps can be found in our documentation . However, many of our customers prefer to test and run DKE on-premises – here we describe the necessary steps to implement this option.
For this post, we assume the server will be reachable under the following URL:
Join the server to a domain, in case membership of a local AD group should be the criteria for authorizing access to the DKE service.
Install a suitable Web server certificate to the machine store. The certificate needs to match the URL, under which the service can be reached. Certificate used for IIS
Install IIS with with default role features – selecting «Next» on each page of the wizard.
Download and install the .NET 3.1.9 hosting bundle. The bundle is available here.
Build and publish code to IIS
Switch to the machine with Visual Studio Code installed, which was used for steps 1 to 5.
Open an administrative command line and switch to the directory «DoubleKeyEncryptionService\src\customer-key-store»
Run the following command: dotnet publish --configuration Release
Transfer the following directory to the folder c:\ of the IIS machine – this will result in a new folder c:\publish on the IIS machine: «DoubleKeyEncryptionService\src\customer-key-store\bin\Release\netcoreapp3.1\publish»
On IIS, create a new web site «DKE» with https binding, port 443 and using host name "aip-dke4.contoso-o365.net": IIS site configuration
Make sure the value for «JwtAudience» matches the selected URL for the IIS Server:
Finish DKE implementation
The following steps are needed to complete the DKE implementation (refer again to our documentation)
7. Validate your deployment
8. Register your key store
9. Create sensitivity labels using DKE
10. Enable DKE in your client
11. Migrate protected files from HYOK labels to DKE labels
By publishing the DKE service on an on-premises server with IIS, customers maintain full control over the key used for protecting their most sensitive content.