What is Double Key Encryption and why should you care?

Double Key Encryption (DKE) is coming soon to Microsoft 365 (E5 plans required)

Like the name suggests, this is even MORE secure than the levels of encryption previously seen.  Microsoft are saying that you need it if:

  • You want to ensure that only you can ever decrypt protected content, under any circumstance.
  • You don’t want Microsoft to have access to protected data on its own.
  • You have regulatory requirements to hold keys within a geographical boundary. All of the keys that you hold for data encryption and decryption are maintained in your data center.

Basically, if you turn this on and apply it to your most sensitive data, then you will now need TWO security keys to access it.  One key is held in the Microsoft Azure cloud and you hold the other.  Because you hold one of the keys, even Microsoft can’t access your data.  Who knows what happen when the FBI or whomever demand access to data in one of their investigations!

We note that Double Key encryption is noted as being referenced in the (old) NZ Privacy Act 1993 although it isn’t apparent in the new 2020 act.

DKE is setup as part of the 365 Admin Information Protection settings, and applies a new sensitivity label “Use Double Key Encryption”.  We suggest using caution too!

Reference

https://docs.microsoft.com/en-us/microsoft-365/compliance/double-key-encryption

https://redmondmag.com/articles/2020/07/23/double-key-encryption-for-microsoft-365.aspx