Understanding Microsoft Information Protection Encryption Key Types (2023)

“Microsoft Managed Key (MMK), Bring Your Own Key (BYOK), Hold Your Own Key (HYOK), and Double Key Encryption (DKE)”

Blog Purpose

Enterprises often create, share, and store sensitive data on-premises, in the cloud, and across multiple clouds. Due to the nature of business and to meet regulatory requirements, sensitive data should always be securely stored and protected with solutions including strong data encryption. Enterprises are also heterogenous - one size does not fit all since they all have different business needs.

Microsoft Information Protection (MIP) is a built-in, intelligent, unified, and extensible solution to protect sensitive data across your enterprise – in Microsoft 365 cloud services, on-premises, third-party SaaS applications, and more. MIP provides a unified set of capabilities to know your data, protect your data, and help prevent data loss across Microsoft 365 apps (e.g., Word, PowerPoint, Excel, Outlook) and services (e.g., Teams, SharePoint, and Exchange).

Microsoft offers a variety of encryption keys that support various customer scenarios. While it could be a daunting task to understand various encryption key types and their applications in the context of the environment, we will describe the various Microsoft Information Protection (MIP) encryption key types through this blog. This blog expands on each key offering, highlights unique aspects, differences, benefits, challenges, typical use cases, and a high-level architectural overview of each key type. Our intent is to keep the right level of technical depth that will help readers get a good understanding of the various key options. Refer to NIST 800-57 for best practices of key management. The blog outlines key elements that enable encryption, discusses rights management services, various key types and concludes with a comparison tables that helps to choose the appropriate key types.

Underlying elements that enable Microsoft Encryption key types

Encryption Algorithms

  • MIP uses both symmetric encryption and public-key encryption for different processes, leveraging the best of both types of algorithms each performing a different function.
  • Symmetric AES (Advanced Encryption Standard) is used for the encryption of the plaintext in emails & files. keys are used depending on the type of content.
  • Asymmetric RSA (Rivest Shamir Adleman) algorithm with a 2048 bit ‘key’ is used to encrypt the symmetric key and thus ensure secrecy of the content.

Tenant Keys

  • A tenant key is the root encryption key tied to a tenant. In other words, content encrypted with MIP in a tenant, roots to the tenant key that was active at the time the content was protected.
  • The tenant key is used to encrypt other keys that in turn are used to supply protection to emails and files & provides access to users.
  • This tenant key is common to all emails and files protected by MIP and can be changed only by the MIP administrator for the tenant.

Content Keys

  • Content keys are symmetric keys, they are used to encrypt the content itself (the plaintext).
  • The content key is protected, together with the policy in the document that defines access to the content, with the tenant’s RSA key
  • The encrypted policy and content key are embedded into the document itself and persist through editions of the document. The document metadata is not encrypted nor protected. For more details, refer toAzure Information Protection (AIP) labeling, classification, and protection | Microsoft Docs

Microsoft Rights Management Services 

The following section provides an overview of how a client initiates the environment for users to begin protecting and consuming sensitive data[i]. This is common across all encryption key types using MSIPC clients. (Ref: How Azure RMS works - Azure Information Protection | Microsoft Docs)

Initializing the Environment

Understanding Microsoft Information Protection Encryption Key Types (1)

STEP 1: Before a user can protect content or consume protected content on a Windows computer, the user environment must be prepared on the device. This is a one-time process and happens automatically without user intervention when a user tries to protect or consume protected content.

The RMS client (aka MIP Client) on the computer first connects to the Rights Management service (RMS) and authenticates the user by using their Azure Active Directory account.

STEP 2: After the user is authenticated, the connection is automatically redirected to the organization’s MIP tenant, which issues certificates that let the user authenticate to the RMS to consume protected content, and to protect content offline.

One of these certificates is the rights account certificate, often abbreviated to RAC. This certificate authenticates the user to Azure Active Directory and is valid for 31 days. The certificate is automatically renewed by the RMS client, provided the user account is still in Azure Active Directory and the account is enabled. This certificate is not configurable by an administrator.

A copy of this certificate is stored in Azure so that if the user moves to another device, the certificates are created by using the same keys.

Content Protection

Understanding Microsoft Information Protection Encryption Key Types (2)

STEP 1: The RMS client creates a random key (the content key) and encrypts the document using this key with the AES symmetric encryption algorithm.

STEP 2: The RMS client then creates a certificate that includes a policy for the document that includes the usage rights for users or groups, and other restrictions, such as an expiration date. These settings can be defined in a template that an administrator previously configured or specified at the time the content is protected (sometimes referred to as an "ad hoc policy").

(Video) Microsoft Information Protection in SharePoint, OneDrive, and Teams. Part 1: Overview

The main Azure AD attribute used to identify the selected users and groups is the Azure AD Proxy addresses attribute, which stores all the email addresses for a user or group. However, if a user account does not have any values in the AD Proxy addresses attribute, the user's User Principal Name value is used instead.

The RMS client then uses the organization’s key that was obtained when the user environment was initialized and uses this key to encrypt the policy and the symmetric content key. The RMS client also signs the policy with the user’s certificate that was obtained when the user environment was initialized.

STEP 3: The RMS client embeds the policy into a file with the body of the document encrypted previously, which together comprise a protected document.This document can be stored anywhere or shared by using any method, and the policy always stays with the encrypted document.

Content Consumption

Understanding Microsoft Information Protection Encryption Key Types (3)

STEP 1: The authenticated user sends the document policy and the user’s certificates to the Azure Rights Management service. The service decrypts and evaluates the policy and builds a list of rights (if any) the user has for the document. To identify the user, the Azure AD Proxy addresses attribute is used for the user's account and groups to which the user is a member. For performance reasons, group membership is cached. If the user account has no values for the Azure AD Proxy addresses attribute, the value in the Azure AD User Principal Name is used instead.

STEP 2: The service then extracts the AES content key from the decrypted policy. This key is then encrypted with the user’s public RSA key that was obtained with the request. The re-encrypted content key is then embedded into an encrypted use license with the list of user rights, which is then returned to the RMS client.

STEP 3: Finally, the RMS client takes the encrypted use license and decrypts it with its own user private key. This lets the RMS client decrypt the document’s body as it is needed and render it on the screen. The client also decrypts the rights list and passes them to the application, which enforces those rights in the application’s user interface.

How office applications and services support Rights Management

End-user Office applications and Office Services also uses the Rights Management service to protect data. These office applications are Word, Excel, PowerPoint, and Outlook. The Office services are Exchange[ii] and Microsoft SharePoint[iii],[iv]. The Office configuration that supports the Rights Management service often use the term information rights management (IRM).

Office 365 apps, Office 2019, Office 2016, and Office 2013 versions provide built-in support for the Azure Rights Management services. No client computer configuration is required to support the IRM features for applications such as Word, Excel, PowerPoint, Outlook, and Outlook on the web. All users must do for these apps on Windows, is sign-in to their office applications with their Microsoft 365 credentials. They can protect files and emails and use files and emails that have protected by others. Users who have Office for Mac must first verify their credentials before they can protect their content.[v]

To enable third party application to build native support for applying labels and protection to files refer to Microsoft Software Development Kit[vii]. Microsoft Information Protection SDK documentation | Microsoft Docs

Key Management Options

Now that we have a good understanding of encryption and how IRM client enables this functionality, let us dig deeper into the various encryption key options. Microsoft offers four encryption key management options as part of MIP offerings. Per Cloud’s shared responsibility model guidance, enterprise CISOs and Data Owners have the ultimate accountability to choose and implement the right key option that will allow their enterprise to securely create, use, share, store, archive and destroy data. Microsoft key management options are Microsoft Managed Key (MMK); Bring your own key (BYOK); Hold your own key (HYOK) and Double Key Encryption (DKE). Enterprises have the option to choose the right key solution that addresses their business scenarios to protect and secure ‘sensitive & highly sensitive’ data. All the key options are built on above key elements that are fundamentally common across the board except that the implementation varies for each key.

Typically, an enterprises data landscape has the following structure. Majority of the data ~80% are non-sensitive data not subject to compliance requirements and does not require encryption. Enterprises are most concerned about their sensitive data ~15% and highly sensitive data ~5% that they would want to protect. By using the MIP key options you can protect your data assets, additionally you can use different MIP keys to adequately protect different types of sensitive data in your digital estate.

Understanding Microsoft Information Protection Encryption Key Types (4)

1. Microsoft Information Protection – Microsoft Managed Keys 

Microsoft fully owns and manages the key. Microsoft offers a full key management solution that customers can use for instantiating their MIP tenant. This is the default choice if it meets the business needs and most preferable for smaller enterprises. This is also the quickest and most effective way to get started with MIP with the least number of administrative efforts and without requiring special hardware. Supports various key operations such as Rekey, Revoke, Backup, Export and Respond[viii].

High-level Architecture of ‘Microsoft Managed Key’:

Understanding Microsoft Information Protection Encryption Key Types (5)

Uniqueness:

  • Microsoft generates your tenant key and keeps the master copy.
  • Customers can export their tenant keys through Microsoft Customer Support Services.
  • RMS can use your tenant key to authorize users to open your documents.
  • RMS provides logging information to show how your protected data is used.

Benefits:

(Video) Get Started with Microsoft Information Protection

  • Key management is fully managed by Microsoft.
  • It is quick and easy to deploy with the customer.
  • Cost effective solution, no separate key management hardware/software required.
  • Least administrator efforts compared to other key solutions.
  • Customers have the choice to rekey the tenant key when a business scenario calls for it.
  • The key is automatically revoked by Microsoft when a subscription is cancelled thereby making this key unusable to protect or view data after revocation.
  • Data may be viewed after cancelling the subscription provided customer has exported the TPD.

Challenges:

  • While customers can export their tenant key, they own accountability to safeguard the exported key.
  • Rekeying may take a while to reflect across all existing clients and services used by the enterprise. This allows the client to choose a new key for protecting data. This does not re-protect existing protected content. Existing protected content can be opened if the previous key is stored in archive is available, user must unprotect with the previous keys and re-protect.
  • Customers have the responsibility of initiating the process of exporting tenant keys from Microsoft.

Use MMK when:

  • Enterprises do not have the need to manage their tenant keys.
  • You do not have to comply with stringent compliance and regulatory requirements.

How it works:

  • Upon the activation of Azure Information Protection Service Microsoft generates a tenant key
  • Microsoft manages most aspects of tenant key life cycle.
  • Azure Active Directory authenticates users.
  • RMS uses the tenant key to authorize users to open your documents.
  • RMS provides logging information to show how your protected data is used.
2. Microsoft Information Protection - Bring Your Own Key

Customers own and manage this key. When enterprises must comply with regulatory requirements, they have the option to bring their own keys, in other words they can generate their own keys from anywhere and bring them to Azure Key Vault.

High-level Architecture of ‘Bring Your Own Key’:

Understanding Microsoft Information Protection Encryption Key Types (6)

Uniqueness:

  • Customers generate and protect the MIP tenant key.
  • Microsoft cannot see or export customer MIP tenant key as this stay protected by HSMs.
  • It can be software or hardware based with a protected key.

Benefits:

  • Customers can use this solution if moving to cloud from On Premise (HYOK to BYOK)
  • Customer manages the MIP tenant key.
  • Customer has full control over the generated key (master copy, backup)
  • Customers can use custom specifications for the key to comply with specific regulatory needs.
  • Enables customers to meet the regulatory and compliance requirements. Customers can audit.
  • Customers can securely transfer their keys to Microsoft Hardware Security Modules (HSMs).
  • Microsoft can replicate tenant keys across a controlled set of HSMs for scale or disaster recovery.
  • Microsoft can provide log information to show how your tenant key and protected data are used.

Challenges:

  • Customers will have administrative overheads initially when setting up the solution.

Use BYOK when:

  • Use BYOK when your organization has compliance regulations for key generations, including control over all life-cycle operations. For example, when your key must be protected by a hardware security module.

How it works:

  • Customers generate their tenant key.
  • Customer securely transfer their own tenant key to Microsoft HSMs.
  • Your key stays protected by Thales or other vendor HSMs.
  • RMS can use your tenant key to authorize users to open your documents.
  • Microsoft can replicate your tenant key across a controlled set of HSMs for scale & disaster recovery but cannot export it.
  • RMS provides logging information to show how your tenant key and protected data are used.
3.Microsoft Information Protection - Hold Your Own Key (Classic  Only)

Note: ‘Hold Your Own Key was supported with the AIP ‘classic’ client. As we announced in 2020, the AIP classic client will no longer be supported as of March 31, 2021. HYOK is included here for reference purposes only’.

When enterprises want to maintain data opacity at all costs then Hold Your Own Key solution provided this functionality, however, this option will be deprecated soon in favor of Double Key Encryption that is more compatible with the overall MIP Unified Labeling story. This enables us to protect data in a way where the organization holds the key, the enterprise fully operates their own Active Directory, Rights Management Server, and Hardware Security Modules for key . HYOK-protection uses a key that is created and held by customers, in a location isolated from the clouds. Since HYOK-protection only enables access to data for on-premises applications and services, customers may also have a need for cloud-based key for managing cloud documents.

High-level Architecture of ‘Hold Your Own Key’:

Understanding Microsoft Information Protection Encryption Key Types (7)

Uniqueness:

  • Most suitable for cases where opaque data is required, and it comes with trade-offs.
  • Customers deploy Azure Information Protection in their organization.
  • MIP is cloud hosted, but they enable customers to operate in cloud-only, on-premises or hybrid.
  • Customers define policies using RMS for “Sensitive” data.
  • Customers define policies using Active Directory (AD) RMS for “Sensitive” data
  • Ideal for highly sensitive data that will not be shared outside of the enterprise.

Benefits:

  • Microsoft does not have access to on-premise self-hosted keys.
  • AD RMS content cannot be consumed by users from different tenants.
  • HYOK supports Documents and Email using AIP Classic Client.
  • Good for air-gapped complete control of your encryption of toxic content.

Challenges:

  • Customer owns Active Directory and AD RMS server.
  • The AD RMS server should not be published on the internet.
  • HYOK works solely with AD and AD RMS instance.
  • HYOK should be used with fully managed PCs only.
  • AD RMS content is not recognized by O365 (no search, pivoted views, eDiscovery, antispam and anti-malware).
  • Email based on AD RMS is not compatible and supported with Office 365 Message Encryption (OME).
  • Data cannot be accessed by mobile devices.
  • AIP Unified labeling does not and will not support HYOK. Works only with AIP Classic Client.
  • Extremely difficult to manage and deploy and may require specialized skills and admin overhead to use and breaks a lot of MIP functionality that the cloud has to offer.

Use HYOK when:

  • Use when documents have the highest classification in your organization, such as “Top Secret.”
  • It is restricted to just a few people.
  • Not shared outside the organization.
  • They are consumed only on internal networks.

How it works:

  • Deploy Azure Information Protection in your organization, configure labels, policies.
  • Deploy multiple RMS services within your AIP environment.
  • Configure Azure RMS protection policies for “regular” sensitive data.
  • Configure AD RMS protection policies for “sensitive” data.
  • Keep your AD RMS out of demilitarized zone (DMZ).
  • Configure RMS connector if you operate in a hybrid environment (on-premise and cloud)
  • HYOK should be used with fully managed PCs to access “sensitive” data.
4. Microsoft Information Protection – Double Key Encryption (AIP UL Client )

Double key encryption is suitable for customers with mission critical data that are most sensitive data and requires higher protection and regulatory requirement. Double key encryption uses two keys together to access protected content. Microsoft stores one key in Microsoft Azure and the customer holds the other key. Customers maintain full control of one of your keys using the Double Key Encryption service. You can apply protection using the Azure Information Protection Unified Labeling client to your highly sensitive content.

(Video) Microsoft Information Protection in SharePoint, OneDrive, and Teams. Part 2: Deep dive

High Level Architecture of Double Key Encryption:

Understanding Microsoft Information Protection Encryption Key Types (8)

Uniqueness:

  • Suitable for protecting highly sensitive data for WXP M365 Office Apps for Enterprise.
  • DKE helps to meet several regulatory requirements.
  • Customers have the choice to choose any location (on-premise or third-party cloud) to host their DKE service.
  • Customers can share DKE encrypted across tenants if the users have access to Azure key and the required permission to access the in the DKE service.
  • Data remains opaque to Microsoft under all circumstances. Only customers can decrypt the data.

Benefits:

  • Customers maintain full control of their keys. Host your key and store your protected data in the location of your choice (on premises or in the clouds), it remains opaque to Microsoft.
  • Manage user access to your key and content. Choose who has permission for the web service to access your key and decrypt content.
  • Enjoy a consistent labeling experience. Double key encryption labels function like other sensitivity labels in the Microsoft Information Protection ecosystem, ensuring a consistent end user and admin experience.
  • Simplify deployment. Reference code and instructions help deploy the Double Key Encryption service used to request your key. We support the reference implementation hosted on GitHub. Any modifications to the reference implementation are at customers own risk + responsibility.

Challenges:

  • Customers need to deploy and manage their own DKE service.
  • As of today, DKE is supported only by AIP UL Client (not Office built-in sensitivity labelling) and for documents only – but this may change in the future.
  • There are services that can't use with DKE encrypted content (Examples: Transport rules including anti-malware and spam that require visibility into the attachment, Microsoft Delve, eDiscovery, Content search and indexing, Office Web Apps including coauthoring functionality). (Double Key Encryption (DKE) - Microsoft 365 Compliance | Microsoft Docs)
  • Any external application or services that are not integrated with DKE through the MIP SDK will be unable to perform actions on the encrypted data.

Use a DKE when:

  • Double key encryption is intended for your most sensitive data that is subject to the strictest protection requirements.
  • Customers want to ensure that only they can ever decrypt protected content, under all circumstances.
  • Enterprise does not want Microsoft to have access to protected data on its own.
  • It has regulatory requirements to hold keys within a geographical boundary. With DKE, customers can choose to host their DKE service and keys in the location of their choosing.

How it works:

  • If you have not already set up the Azure Information Protection service using MMK or BYOK
  • Deploy Double Key Encryption Service at your preferred location i.e., on-premise or cloud.
  • Microsoft Office client + AIP Unified labeling client bootstraps to the AIP Service.
  • AIP service sends the customer’s public key to the Office client which gets cached for 30 days.
  • Microsoft Office + AIP Unified Label client requests customer-controlled public from DKE service
  • The document metadata controlling access to the document is encrypted with the key from DKE.
  • The encrypted part of the metadata is further encrypted with AIP, thus double encrypting the document.
Synopsis

*With AIP Classic client deprecation HYOK is not relevant anymore. Documented for reference purposes only.

The table below shows a high-level comparison between the various MIP key options. IT admins can assess the various aspects to select the most suitable option that meets their business scenario.

Table 1: Key options and key actions

Action

MMK

BYOK

HYOK*

DKE

Revoke a tenant key.

Understanding Microsoft Information Protection Encryption Key Types (9)Understanding Microsoft Information Protection Encryption Key Types (10)Understanding Microsoft Information Protection Encryption Key Types (11)Understanding Microsoft Information Protection Encryption Key Types (12)

Re-key your tenant key.

Understanding Microsoft Information Protection Encryption Key Types (13)Understanding Microsoft Information Protection Encryption Key Types (14)Understanding Microsoft Information Protection Encryption Key Types (15)Understanding Microsoft Information Protection Encryption Key Types (16)

Backup & recover your tenant key.

Understanding Microsoft Information Protection Encryption Key Types (17)Understanding Microsoft Information Protection Encryption Key Types (18)Understanding Microsoft Information Protection Encryption Key Types (19)Understanding Microsoft Information Protection Encryption Key Types (20)

Customers can export tenant keys.

Understanding Microsoft Information Protection Encryption Key Types (21)Understanding Microsoft Information Protection Encryption Key Types (22)Understanding Microsoft Information Protection Encryption Key Types (23)Understanding Microsoft Information Protection Encryption Key Types (24)

Microsoft can export tenant keys.

Understanding Microsoft Information Protection Encryption Key Types (25)
Understanding Microsoft Information Protection Encryption Key Types (26)
Understanding Microsoft Information Protection Encryption Key Types (27)Understanding Microsoft Information Protection Encryption Key Types (28)

Table 2: Key options and administrative efforts:

Administrative Effort

MMK

BYOK

HYOK*

DKE

Low

Understanding Microsoft Information Protection Encryption Key Types (29)

-

-

-

Moderate

-

Understanding Microsoft Information Protection Encryption Key Types (30)

-

-

High

-

-

Understanding Microsoft Information Protection Encryption Key Types (31)Understanding Microsoft Information Protection Encryption Key Types (32)

Table 3: Key options and licensing requirements:

License

MMK

BYOK

HYOK*

DKE

AIP P1

Understanding Microsoft Information Protection Encryption Key Types (33)Understanding Microsoft Information Protection Encryption Key Types (34)Understanding Microsoft Information Protection Encryption Key Types (35)Understanding Microsoft Information Protection Encryption Key Types (36)

AIP P2

Understanding Microsoft Information Protection Encryption Key Types (37)Understanding Microsoft Information Protection Encryption Key Types (38)Understanding Microsoft Information Protection Encryption Key Types (39)Understanding Microsoft Information Protection Encryption Key Types (40)

M365 E3

Understanding Microsoft Information Protection Encryption Key Types (41)Understanding Microsoft Information Protection Encryption Key Types (42)Understanding Microsoft Information Protection Encryption Key Types (43)Understanding Microsoft Information Protection Encryption Key Types (44)

M365 E5

Understanding Microsoft Information Protection Encryption Key Types (45)Understanding Microsoft Information Protection Encryption Key Types (46)Understanding Microsoft Information Protection Encryption Key Types (47)Understanding Microsoft Information Protection Encryption Key Types (48)

Table 4: Applications Supported:

Applications Supported

MMK

BYOK

HYOK*

DKE

One Drive

Understanding Microsoft Information Protection Encryption Key Types (49)Understanding Microsoft Information Protection Encryption Key Types (50)Understanding Microsoft Information Protection Encryption Key Types (51)Understanding Microsoft Information Protection Encryption Key Types (52)

SharePoint Online

Understanding Microsoft Information Protection Encryption Key Types (53)Understanding Microsoft Information Protection Encryption Key Types (54)Understanding Microsoft Information Protection Encryption Key Types (55)Understanding Microsoft Information Protection Encryption Key Types (56)

Exchange Online

Understanding Microsoft Information Protection Encryption Key Types (57)Understanding Microsoft Information Protection Encryption Key Types (58)Understanding Microsoft Information Protection Encryption Key Types (59)Understanding Microsoft Information Protection Encryption Key Types (60)

Microsoft 365 (Office 365 Word, Excel, PowerPoint)

Understanding Microsoft Information Protection Encryption Key Types (61)Understanding Microsoft Information Protection Encryption Key Types (62)Understanding Microsoft Information Protection Encryption Key Types (63)Understanding Microsoft Information Protection Encryption Key Types (64)

Microsoft 365 (Office 365 - Email)

Understanding Microsoft Information Protection Encryption Key Types (65)Understanding Microsoft Information Protection Encryption Key Types (66)Understanding Microsoft Information Protection Encryption Key Types (67)Understanding Microsoft Information Protection Encryption Key Types (68)

On-Premise Exchange

Understanding Microsoft Information Protection Encryption Key Types (69)Understanding Microsoft Information Protection Encryption Key Types (70)Understanding Microsoft Information Protection Encryption Key Types (71)Understanding Microsoft Information Protection Encryption Key Types (72)

On-Premise SharePoint

Understanding Microsoft Information Protection Encryption Key Types (73)Understanding Microsoft Information Protection Encryption Key Types (74)Understanding Microsoft Information Protection Encryption Key Types (75)Understanding Microsoft Information Protection Encryption Key Types (76)

Teams

Understanding Microsoft Information Protection Encryption Key Types (77)Understanding Microsoft Information Protection Encryption Key Types (78)Understanding Microsoft Information Protection Encryption Key Types (79)Understanding Microsoft Information Protection Encryption Key Types (80)

Table 5: Applications Supported:

Platform

MMK

BYOK

HYOK*

DKE

Windows

Understanding Microsoft Information Protection Encryption Key Types (81)Understanding Microsoft Information Protection Encryption Key Types (82)Understanding Microsoft Information Protection Encryption Key Types (83)Understanding Microsoft Information Protection Encryption Key Types (84)

iOS

Understanding Microsoft Information Protection Encryption Key Types (85)Understanding Microsoft Information Protection Encryption Key Types (86)Understanding Microsoft Information Protection Encryption Key Types (87)Understanding Microsoft Information Protection Encryption Key Types (88)

Android

Understanding Microsoft Information Protection Encryption Key Types (89)Understanding Microsoft Information Protection Encryption Key Types (90)Understanding Microsoft Information Protection Encryption Key Types (91)Understanding Microsoft Information Protection Encryption Key Types (92)
Frequently asked questions

How to renew symmetric keys

https://docs.microsoft.com/en-us/azure/information-protection/develop/how-to-renew-symmetric-key

How to export tenant keys for MMKs:

https://docs.microsoft.com/en-us/azure/information-protection/operations-microsoft-managed-tenant-ke...

What are DKE License requirements?

https://docs.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/mi...

(Video) Introduction to Microsoft Information Protection Policy APIs

How to configure DKE

https://docs.microsoft.com/en-us/microsoft-365/compliance/double-key-encryption?view=o365-worldwide

References

[i] How Azure RMS works - Azure Information Protection | Microsoft Docs

[ii]

[iii]

[iv] Enable sensitivity labels for Office files in SharePoint and OneDrive - Microsoft 365 Compliance | M...

[v] Configuration for clients to use Office apps with Azure RMS from AIP | Microsoft Docs

[vi] Licenses and Certificates, and how AD RMS protects and consumes documents

[vii] Microsoft Information Protection SDK documentation | Microsoft Docs

[viii] Microsoft-managed - AIP tenant key life cycle operations | Microsoft Docs

[ix] Customer-managed - AIP tenant key life cycle operations | Microsoft Docs

[x] How to prepare an Azure Information Protection “Cloud Exit” plan

[xi] Bring Your Own Key (BYOK) details - Azure Information Protection | Microsoft Docs

[xii]

[xiii] Bring Your Own Key (BYOK) details - Azure Information Protection | Microsoft Docs

[xiv] Operations for your Azure Information Protection tenant key

[xv]Host DKE on IIS, using an on-premises server - Microsoft Tech Community

(Video) Microsoft 365 Compliance: Information Protection vs. Information Governance - Label Types

[xvi]Implement DKE B2B scenarios - Microsoft Tech Community

FAQs

What are the 3 types of encryption keys? ›

Symmetric, or secret key encryption, uses a single key for both encryption and decryption. Symmetric key encryption is used for encrypting large amounts of data efficiently. 256-bit AES keys are symmetric keys. Asymmetric, or public/private encryption, uses a pair of keys.

What type of encryption does Azure information protection use? ›

Azure Information Protection uses AES 256 and AES 128 to encrypt documents. More information. All encryption keys used by Azure Information Protection are protected with a customer-specific root key that uses RSA 2048 bits. RSA 1024 bits is also supported for backwards compatibility.

How does Microsoft manage encryption keys? ›

When using Microsoft-managed keys, Microsoft online services automatically generate and securely store the root keys used for Service Encryption. Customers with requirements to control their own root encryption keys can use Service Encryption with Microsoft Purview Customer Key.

How many types of keys are used in encryption? ›

Firstly, and most importantly, there are two primary types of cryptographic keys: symmetric and asymmetric. The latter always come in mathematically-related pairs consisting of a private key and a public key.

What are the four 4 most secure encryption techniques? ›

Here are some of the top encryption methods that you can use to safeguard sensitive data for your small business.
  • Advanced Encryption Standard (AES) ...
  • Rivest-Shamir-Adleman (RSA) ...
  • Triple Data Encryption Standard (DES) ...
  • Blowfish. ...
  • Twofish. ...
  • Format-Preserving Encryption (FPE) ...
  • Elliptic Curve Cryptography (ECC)
6 Oct 2022

What is the difference between Microsoft information protection and azure information protection? ›

Unlike Azure Information Protection, Microsoft Purview Information Protection isn't a subscription or product that you can buy. Instead, it's a framework for products and integrated capabilities that help you protect your organization's sensitive information.

What is the most secure MS Azure information protection? ›

Confidential is the most suitable MS Azure Information Protection (AIP) label while sharing a presentation with client names and future project details with your Manager. Presentations containing client names and future project details can influence the future course of a business.

What is Microsoft double key encryption? ›

Double Key Encryption encrypts your data with two keys. Your encryption key is in your control and the second key is stored in Microsoft Azure, allowing you to move your encrypted data to the cloud. HYOK protects your content with only one key and the key is always on premises.

What is a MS Security Key? ›

A security key is a physical device that you can use instead of your user name and password to sign in. It may be a USB key that you could keep on your keychain, or an NFC device like a smartphone or access card.

How do you use Microsoft keys? ›

Microsoft 365, Office 2021, Office 2019, Office 2016, and Office 2013 (PC and Mac)
  1. To redeem a new purchase.
  2. Step 1: Go to www.office.com/setup or Microsoft365.com/setup.
  3. Step 2: Sign in with your Microsoft account, or create one if you don't have one. ...
  4. Step 3: Enter your product key, without hyphens, if prompted.

What are the different types of keys? ›

Types of Keys in DBMS
  • Primary Key.
  • Super Key.
  • Candidate Key.
  • Alternate Key.
  • Foreign Key.
  • Composite Key.
  • Unique Key.

What are the different types of keys explain and describe each types? ›

Eight types of key in DBMS are Super, Primary, Candidate, Alternate, Foreign, Compound, Composite, and Surrogate Key. A super key is a group of single or multiple keys which identifies rows in a table. Primary Key never accept null values while a foreign key may accept multiple null values.

What are different types of security keys? ›

There are three different kinds of network security keys: WEP, WPA, and WPA2, each more secure than the last. The type of security key you choose, along with how strong your password is, determines how safe your network is from hackers.

What is the difference between private key and public key? ›

To conclude, private keys can be used for both encryption and decryption, while Public keys are used only for the purpose of encrypting the sensitive data. Private keys are shared between the sender and the receiver, whereas public keys can be freely circulated among multiple users.

What is the strongest encryption type? ›

AES 256-bit encryption is the strongest and most robust encryption standard that is commercially available today. While it is theoretically true that AES 256-bit encryption is harder to crack than AES 128-bit encryption, AES 128-bit encryption has never been cracked.

Which encryption key is most secure? ›

AES. The Advanced Encryption Standard (AES) is the algorithm trusted as the standard by the U.S. Government and numerous organizations. Although it is highly efficient in 128-bit form, AES also uses keys of 192 and 256 bits for heavy-duty encryption purposes.

What are the 2 types of encryption and which one is better to be used? ›

There are two types of encryption in widespread use today: symmetric and asymmetric encryption. The name derives from whether or not the same key is used for encryption and decryption.

What is the most unbreakable encryption? ›

The Advanced Encryption Standard (AES) is a type of symmetric encryption that is considered both the most unbreakable algorithm and the global standard of security.

What is Level 3 encryption? ›

Level 3: Adds requirements for physical tamper-resistance and identity-based authentication. There must also be physical or logical separation between the interfaces by which “critical security parameters” enter and leave the module. Private keys can only enter or leave in encrypted form.

Why does Azure have two keys? ›

The reason behind two storage account keys is to regenerate the keys with no interruption to your storage service or access to that service.

What is key encryption key Azure? ›

The keys used for Azure Data Encryption-at-Rest, for instance, are PMKs by default. Customer-managed keys (CMK), on the other hand, are those that can be read, created, deleted, updated, and/or administered by one or more customers. Keys stored in a customer-owned key vault or hardware security module (HSM) are CMKs.

What is the difference between AIP and DLP? ›

With DLP, you can block a document from being shared or an email from being sent both within and outside of your organization if it meets the rules you have defined. AIP is a protection mechanism that lives within the document itself.

What are the three types of Azure AD identity protection policies? ›

Users must have previously registered for Azure AD multifactor authentication before triggering the sign-in risk policy.
...
Sign-in risk-based Conditional Access policy
  • Block access.
  • Allow access.
  • Require multifactor authentication.

What does Microsoft information protection include? ›

Microsoft Purview Information Protection helps you discover, classify, protect, and govern sensitive information wherever it lives or travels. AIP extends the labeling and classification functionality provided by Microsoft Purview with the following capabilities: The unified labeling client. An on-premises scanner.

What are the top 3 certifications in Azure? ›

Most In-Demand Certification : Microsoft Azure Certification Path 2022
  • Microsoft Azure Fundamentals – AZ-900 Exam.
  • Microsoft Azure Administrator – AZ-103.
  • Microsoft Azure Developer – AZ-203.
  • Microsoft Azure Security Engineer – AZ-500.
  • Microsoft Azure AI Engineer – AI-100.
  • Microsoft Azure Data Scientist – DP-100.
8 Sept 2022

Does Azure information protection encrypt emails? ›

Microsoft Purview Message Encryption leverages the protection features in Azure Rights Management Services (Azure RMS), the technology used by Azure Information Protection to protect emails and documents via encryption and access controls.

What are AIP labels? ›

Azure Information Protection (AIP) is a cloud-based solution that enables organizations to classify and protect documents and emails by applying labels. For example, your administrator might configure a label with rules that detect sensitive data, such as credit card information.

What are the different types of Windows keys? ›

The three types of licenses are;
  • Full Packaged Product (FPP) or Retail. You can get this type of Windows license from retail merchants or buy from the Microsoft store. ...
  • OEM means Original Equipment Manufacturer (OEM). ...
  • Volume license keys for use on PCs associated with an organization.
18 Sept 2021

What are the two types of encryption keys in OCI? ›

KMS recognizes two types of encryption keys – Master Keys and Data Encryption Keys.

What is the unbreakable encryption? ›

There is only one known unbreakable cryptographic system, the one-time pad, which is not generally possible to use because of the difficulties involved in exchanging one-time pads without their being compromised. So any encryption algorithm can be compared to the perfect algorithm, the one-time pad.

Is there a difference between password and security key? ›

Is a network security key the same as a password? Yes – they essentially perform the same function. Each ISP and manufacturer will use slightly different phrasing, so even if you find the sticker on your router, you might not know what you're looking at.

How does a security key work? ›

When you insert a security key into your computer or connect one wirelessly, your browser issues a challenge to the key, which includes the domain name of the specific site you are trying to access. The key then cryptographically signs and allows the challenge, logging you in to the service.

What is WPA2 security key? ›

The WEP key or WPA/WPA2 preshared key/passphrase is not the same as the password for the access point. The password lets you access the access point settings. The WEP key or WPA/WPA2 preshared key/passphrase allows printers and computers to join your wireless network.

What is the function of a keys? ›

The function keys are used to perform specific tasks. They are labeled as F1, F2, F3, and so on, up to F12. The functionality of these keys differs from program to program. Navigation keys.

What does Windows key key do? ›

Te Windows key provides shortcuts. For example, pressing the key by itself will open the Windows Start menu. Pressing the Windows key together with other keys provides keyboard the user with a rich set of macros for basic Windows functions such as launching a search dialog.

What are keys used for? ›

A key is also a tool used to lock and unlock a computer, computer drive, or another computer-related device. If you have lost the key to your computer device, Computer Hope cannot help you recover it. Contact the manufacturer of the product that is locked.

What are the 5 special keys? ›

These shortcuts are particularly useful in text processing and file management activities.
  • Ctrl-S - save.
  • Ctrl-O - open.
  • Ctrl-N - new.
  • Ctrl-C - copy.
  • Ctrl-V - paste.
  • Ctrl-X - cut.
  • Ctrl-Z - undo.
  • Ctrl-A - select all.

How do you identify a key? ›

Identification Methods
  1. Name on the key or Lock: Kwikset or Schlage are the most common residential locks and keys. ...
  2. Name Abbreviation: Kwikset is “KW” and Schlage is “SC” The most common keyways are KW1 & SC1. ...
  3. Name on the lock latch: look at the edge of your door on the latch for a name.
16 Nov 2014

What is difference between primary key and candidate key? ›

The difference here is that a primary key acts as a minimal super key. Thus, a relation can only have one primary key. On the other hand, multiple candidate keys (two or more) can take place in any relationship. The attributes in a candidate key may contain a NULL value that opposes the primary key in it.

What are the 3 types of key operated lock? ›

There are three main types of key-operated locks: cylinder locks, mortise locks, and rim locks. Cylinder locks are the most common type of lock and are typically used in residential applications.

What are the 3 security control types? ›

There are three primary areas or classifications of security controls. These include management security, operational security, and physical security controls.

What are encryption keys called? ›

symmetric key - a key that is used both to encrypt and decrypt a message. Symmetric keys are typically used with a cipher and must be kept secret to maintain confidentiality. traffic encryption key (TEK)/data encryption key (DEK) - a symmetric key that is used to encrypt messages.

What type of encryption has 2 keys? ›

Public key cryptography, also known as asymmetric cryptography, uses two separate keys instead of one shared one: a public key and a private key. Public key cryptography is an important technology for Internet security.

What is 3rd layer encryption? ›

Encryption on layer 3 of the OSI model enables the secure transmission of IP-packets via a public transport network. Usually the encryption realized software-based in the router or in the end device.

Which is the strongest encryption key? ›

AES 256-bit encryption is the strongest and most robust encryption standard that is commercially available today.

What are the different levels of encryption? ›

There are two types of encryption in widespread use today: symmetric and asymmetric encryption. The name derives from whether or not the same key is used for encryption and decryption.

What are the different types of keys called? ›

But just for knowledge's sake, let's briefly discuss the 10 types of keys. They are flat key, corrugated key, tubular key (or barrel key), dimple key, warded key and jagged key, sidebar key, combination/mixed key, and spool key.

Is an encryption key the same as the passphrase? ›

A passphrase generally refers to a secret used to protect an encryption key. Commonly, an actual encryption key is derived from the passphrase and used to encrypt the protected resource.

What is the difference between encryption key and password? ›

Passwords are often created to be memorized by users and may contain non-random information such as dictionary words. On the other hand, a key can help strengthen password protection by implementing a cryptographic algorithm which is difficult to guess or replace the password altogether.

What is the difference between 1 way encryption and 2 way encryption? ›

Since encryption is two-way, the data can be decrypted so it is readable again. Hashing, on the other hand, is one-way, meaning the plaintext is scrambled into a unique digest, through the use of a salt, that cannot be decrypted.

What is the difference between public key and private key? ›

In public-key cryptography, two keys are used, one key is used for encryption, and the other is used for decryption. 3. In private key cryptography, the key is kept a secret. In public-key cryptography, one of the two keys is kept a secret.

What two 2 types of keys are using for asymmetric encryption? ›

Asymmetric encryption uses a mathematically related pair of keys for encryption and decryption: a public key and a private key. If the public key is used for encryption, then the related private key is used for decryption. If the private key is used for encryption, then the related public key is used for decryption.

What is the difference between Layer 1/2 and 3? ›

In summary, Layer 1 is the base layer of a blockchain network which allows layer 2 blockchains to build on top of it. This decongests the main chain providing higher transaction speeds and lower fees. Layer 3 blockchain hosts decentralized applications (DApps).

Is Layer 2 or Layer 3 better? ›

The layer 2 and Layer 3 differs mainly in the routing function. A Layer 2 switch works with MAC addresses only and does not care about IP address or any items of higher layers. Layer 3 switch, or multilayer switch, can do all the job of a layer 2 switch and additional static routing and dynamic routing as well.

How many layers of encryption are there? ›

Your actual data is encrypted with three layers (including SSL/TLS), and the other two layers remain secure even if the secrecy of an SSL/TLS channel is compromised.

Videos

1. An Overview Microsoft information protection (MIP) and the Software Development Kit (SDK).
(Microsoft Security Community)
2. Microsoft Information Protection webinar: Unified labeling
(Microsoft Security)
3. Discover and protect your on-premises data using Microsoft Information Protection
(Microsoft Security)
4. What is Microsoft Information Protection (MIP)? | FastTrack Update
(Insentra)
5. Protecting mission critical data using Double Key Encryption
(Microsoft Security)
6. Introduction to Azure Information Protection
(T-Minus365)
Top Articles
Latest Posts
Article information

Author: Kimberely Baumbach CPA

Last Updated: 11/29/2022

Views: 6286

Rating: 4 / 5 (41 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Kimberely Baumbach CPA

Birthday: 1996-01-14

Address: 8381 Boyce Course, Imeldachester, ND 74681

Phone: +3571286597580

Job: Product Banking Analyst

Hobby: Cosplaying, Inline skating, Amateur radio, Baton twirling, Mountaineering, Flying, Archery

Introduction: My name is Kimberely Baumbach CPA, I am a gorgeous, bright, charming, encouraging, zealous, lively, good person who loves writing and wants to share my knowledge and understanding with you.