About Double Key Encryption (DKE)

Double Key Encryption (DKE) is a Microsoft security feature allowing encryption of office documents with a symmetric key protected by a key managed by Microsoft and a second key managed by an external service. Beginning with 10.4.2, you can use Cryptographic Security Platform Vault as the external service.

Encrypting office documents is controlled by labels that are configured in the Microsoft Purview Compliance Portal.

Authentication is provided by an Azure registered application.

DKE keys are stored in an Azure key set in the Cloud Cryptographic Security Platform Vault for Cloud Keys. These keys are stored in the dke_keys key vault, which is separate from the Azure key vaults and managed HSMs. The DKE keys are never uploaded to Azure.

Important: To use DKE with Cryptographic Security Platform Vault, TLS must be set to TLSv1.2, TLSv1.3 and EMS must be set to Do not enforce EMS.