About Double Key Encryption (DKE)

Double Key Encryption (DKE) is a Microsoft security feature allowing encryption of office documents with a symmetric key protected by a key managed by Microsoft and a second key managed by an external service. Beginning with 10.4.3, you can now use KeyControl as the external service.

Encrypting office documents is controlled by labels that are configured in the Microsoft Purview Compliance Portal.

Authentication is provided by an Azure registered application.

DKE keys are stored in an Azure key set in the Cloud KeyControl Vault for Cloud Keys. These keys are stored in the dke_keys key vault, which is separate from the Azure key vaults and managed HSMs. The DKE keys are never uploaded to Azure.