Skip to content

Double Key encryption coming to Microsoft 365

Microsoft is making an important step towards cloud storage security with the public preview of Double Key Encryption.  That means, for the first time, Microsoft customers can secure their data from access, even by Microsoft itself.

All the ‘secure’ cloud storage from Microsoft can be accessed by Microsoft.  For all their talk about security, the hard reality is that files and data stored in the cloud can be read by the company managing the cloud servers.  Any cloud storage service can read the data for their own purposes or be compelled to copy data by law.

Most hyped security and encryption measures are about protecting customer access or access while data is copied.  They don’t fully protect data ‘at rest’ on cloud servers.

Microsoft admits that in their explanation of Double Key Encryption:

“ … you can use DKE to help secure your content:
– You want to ensure that only you can ever decrypt protected content, under all circumstances.
– You don’t want Microsoft to have access to protected data on its own.

That’s where Double Key Encryption DKE comes in.

With DKE, one of the two encryption keys is held by the customer only. 

To read data, two keys are necessary, one is held by Microsoft while the other is only known to the customer. Microsoft alone can’t read the files or data.

That’s great for companies storing sensitive data like medical records, financial transactions etc. 

Some countries have specific data protection laws that require Double Key Encryption, like the General Data Protection Regulations (GDPR), US Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA). Russia’s has a data localization law – Federal Law No. 242-FZ.  Down under there’s Australia’s Federal Privacy Act 1988, and New Zealand’s Privacy Act 1993.

Double Key Encryption in Office

Double Key Encryption appears as a Sensitivity Label in Word, Excel or PowerPoint.

DKE setup

It’s setup by Office 365 Admins under Information Protection.  New sensitivity label, Use Double Key Encryption.

You need a Microsoft 365 E5 and Office 365 E5 suite to get Double Key Encryption.

And setup a DKE service to store your (customer) encryption keys.  Go to Double Key Encryption for Microsoft 365 for the details and downloads necessary.

Let’s hope this is just the start of DKE deployment.  It would be great to see it extended to other Microsoft 365 plans and easier options for DKE services.

OneDrive Personal Vault, deep inside and tricks
Beating the Personal Vault limit of 3 files for free OneDrive accounts
How the US government accesses your OneDrive and Outlook info with NSL

About this author

Office Watch is the independent source of Microsoft Office news, tips and help since 1996. Don't miss our famous free newsletter.