Sensitivity Label support for Double Key Encryption (DKE) 01

Microsoft 365 offers integrated data protection features to encrypt users data, both while it is stored and during transmission. Users can safeguard their information using Microsoft Purview Information Protection, which provides classification and labeling tools. Additionally, data can be protected as it travels across the network and while it is stored within the Microsoft 365 service.

The graphic below demonstrates the encryption options available in Microsoft 365 and their application in a simplified view of the OSI model. "Data-in-transit" refers to data being transmitted over a network, such as during file transfers, or through email, chat, or posts. "Data-at-rest" pertains to data saved on a device, network drive, or other shared storage.

Double Key Encryption

Double Key Encryption (DKE) for Microsoft 365 enables users to protect their highly sensitive data to meet specialized requirements. It helps users maintain full control of their encryption keys.

It uses two keys to protect data—one key in the user's control and a second key is stored securely in Microsoft Azure. Viewing data protected with Double Key Encryption requires access to both keys. Since Microsoft can access only one of these keys, protected data remains inaccessible to Microsoft, ensuring that customers have full control over their data privacy and security.

Double Key Encryption allows users to store their keys and data in the same geographical boundaries, helping them meet compliance requirements. Users also have the flexibility in how they manage the keys for protecting their data. They can either use generated keys from Microsoft, or provide their own encryption keys and use Azure key management capabilities to determine how keys are used in the service.

When should Double Key Encryption be used?

Organizations should consider using Double Key Encryption to help secure highly sensitive data if they have any of the following requirements:

1. Ensuring that Microsoft does not have access to protected data
2. Ensuring that the organization has full control of their key and users with required permissions have access to the encryption key, under all circumstances
3. Complying with regulatory requirements to hold encryption key within a geographical boundary

It's recommended that organizations use Microsoft Purview Information protection capabilities (classification and labeling) to protect most of their sensitive data and use Double Key Encryption only for their mission-critical data. Double Key Encryption is particularly relevant for extremely sensitive data in highly regulated industries such as Financial services and Healthcare.

Comparing DKE with other encryption solutions

Hold your own key (HYOK)

Hold Your Own Key (HYOK) configurations enable AIP users with the classic client to protect highly sensitive content while maintaining full control of their key. HYOK uses an additional, user-held key that's stored on premises for highly sensitive content, together with the default cloud-based protection used for other content.

Users define AIP labels to support HYOK by updating the following AIP label properties

• Protection settings
• Select Protection, “HYOK (AD RMS)”

These HYOK labels are then scoped to users that need to apply HYOK protection and published so AIP classic clients can apply them to content that must remain protected via the on premises key.

HYOK is often used for documents that are:

• Restricted to just a few people
• Not shared outside the organization
• Are consumed only on the internal network.
• These documents typically have the highest classification in your organization, as "Top Secret".

Content can be encrypted using HYOK protection only if you have the classic client, which has been deprecated on March 2021 . However, if you have HYOK-protected content, it can be viewed in both the classic and unified labeling client.

Microsoft ?365 and other online services can't decrypt HYOK-protected content. HYOK-protection only enables access to data for on-premises applications and services

For more information, see Hold Your Own Key (HYOK) details

How is Double Key Encryption different from the existing Hold your own key (HYOK)?

Double Key Encryption encrypts your data with two keys with your encryption key being in your control and the second key stored in Microsoft Azure, allowing you to move your encrypted data to the cloud. HYOK protects your content with only one key and the key is always on premises.

Double Key Encryption is the designated replacement solution replacement for HYOK as tenants move from AIP & AIP classic client to MIP unified labeling support

What happens to the documents that are protected with HYOK?

Deploying Double Key Encryption will not affect a customer’s existing HYOK setup. Microsoft recommend that current HYOK users start using Double Key Encryption in parallel with HYOK. MS are working on designing a solution to help migrate HYOK protected content to Double Key Encryption and will share details as soon as they are able to.

Bring your own key (BYOK)

Bring Your Own Key (BYOK) protection uses keys that are created by users, either in the Azure Key Vault or on-premises in the users organization. These keys are then transferred to Azure Key Vault for further management.

• The user key must be stored in the Azure Key Vault for BYOK protection.
• The tenant key stays protected by Azure Key Vault; Microsoft (and people on the internet) cannot see tenant key in the cloud
• Microsoft can then replicate tenant key across a controlled set of HSMs for scale or disaster recovery within region or instance), but cannot export it
• Azure Key Vault and Azure Information Protection provides logging information to show how the tenant key and protected data are used (AIP label analytics)

The tenant has full control and authorizes Azure Information Protection Service to use the key. Azure Information Protection can then use tenant key along with sensitivity labels to authorize users to open RMS protected documents

Use BYOK when their organization has compliance regulations for key generation, including control over all life-cycle operations. For example, when your key must be protected by a hardware security module.

For more information see Bring your own key (BYOK) details for Azure Information Protection

What is the difference between Customer Key encryption and Bring Your Own Key (BYOK) with Azure Information Protection for Exchange Online?

Both options enable you to provide and control your own encryption keys; however, service encryption with Customer Key encrypts your mailbox itself, residing in Office 365 servers at-rest, while BYOK with Azure Information Protection for Exchange Online encrypts your data in-transit and provides persistent online and offline protection for email messages and attachments for Office 365. Both complement each other.