On 7/21/2020, Microsoft released a new encryption which is going to help in securing mission critical data. This is a major breakthrough in the Microsoft security world. We have been using Microsoft Azure Information Protection and this will add another label. However it is not that simple to create the label for Double Key Encryption (DKE) because you need to create an app.
What is Double Key Encryption?
Microsoft 365 provides built-in data protection by encrypting customer office 365 data, both while keeping and in transitioning. For addition protection, we encrypt the data at the application layer and provide flexible key management solutions. Double Key Encryption helps organizations protect the mission-critical and highly sensitive data ((e.g., trade secrets, patents, and financial algorithms) while keeping full control of your encryption key. It uses two keys to protect the data, first key in customer control, and the second key is stored in Microsoft Azure. Both of the keys will be required to view data protected with Double Key Encryption. Microsoft can access only one of these keys, your protected data remains inaccessible to Microsoft, ensuring that you have full control over its privacy and security. So, in a nutshell, even Microsoft (provider) with admin privileges can’t access the data or open the backdoors.
Double Key Encryption
will be used in Public Sector, Defense, CJIS Orgs, Financials, and Medical organizations.
We know many organizations had
security concerns on keeping the data in Microsoft cloud with the concern of Encryption key is still with Microsoft.
Now these organizations can move these documents to Microsoft cloud and encrypt the documents with
“Double Key Encryption”. We can see a huge adoption of “Double Key Encryption” in the
Public Sector, Defense, CJIS Orgs, Financials, and Medical organizations.
Double Key Encryption allows us to store the data & key in the same location and help meet regulatory requirements across several regulations and standards such for example General Data GDPR, HIPAA, GLBA, Russia’s data localization law – Federal Law No. 242-FZ, Australia’s Federal Privacy Act 1988, and New Zealand’s Privacy Act 1993.
Where will it show up?
If you configure today then it will show in the preview and it will show up right below under “Assign permissions to specific users and groups.”
Wait a minute. I guess many of us went ahead to create a label, and found it missing.
You will not find this option yet.
We need to follow the steps mentioned in the below mentioned blog to enable “Double Key Encryption”.
When deployed the Double Key Encryption, we had to follow the YouTube video by Kevin McKinnerney who does not exist in the public networking as LinkedIn and twitter.
Overall here are the simple steps are mentioned below:
Create and Configure Azure App.
- Register and Configure then app in the Azure Active Directory.
- Configure Sensitivity label in Security and Compliance Admin center.
- Publish Sensitivity label.
On the clients configure the following:
- Install Azure Information Protection Unified Client (versions 126.96.36.199 or later). https://docs.microsoft.com/en-us/azure/information-protection/rms-client/aip-clientv2
- Install Office 365 Proplus insider version (CurrentPreview) which should be version *.12711 or later.
Configure following registry key.
DKE only supports Word, Excel, and PowerPoint. No support for OneNote and outlook emails.
Here is how it will look like.