Description of Microsoft Information Protection encryption key types (2023)

„Microsoft Managed Key (MMK), Bring Your Own Key (BYOK), Keep Your Own Key (HYOK) und Double Key Encryption (DKE)“

purpose of the blog

Businesses often create, share, and store sensitive data on-premises, in the cloud, and across multiple clouds. Due to the nature of the business and to meet regulatory requirements, sensitive data must always be stored securely and protected with solutions that include strong data encryption. Organizations are also heterogeneous – one size doesn't fit all as everyone has different business needs.

Microsoft Information Protection (MIP) is an integrated, intelligent, unified, and extensible solution for protecting sensitive data across your organization, across Microsoft 365 cloud services, third-party on-premises SaaS applications, and more. MIP provides a unified set of capabilities to understand your data, protect it and prevent data leakage across Microsoft 365 apps (e.g. Word, PowerPoint, Excel, Outlook) and services (e.g. Teams, SharePoint and Exchange) to prevent. ).

Microsoft offers a variety of encryption keys that support different customer scenarios. Although it can be a daunting task to understand different types of encryption keys and their applications in the context of your environment, we will describe the different types of Microsoft Information Protection (MIP) encryption keys in this blog. This blog expands on each core offering, highlighting unique aspects, differences, benefits, challenges, typical use cases, and an overview of the general architecture of each key type. Our intention is to maintain the appropriate level of technical depth that will help readers gain a good understanding of the various key options. Refer toNIST 800-57for key management best practices. The blog describes the key elements that make encryption possible, discusses rights management services, different key types, and concludes with comparison charts to help you choose the right key types.

Underlying elements that enable the Microsoft encryption keyThe type

encryption algorithms

• MIP uses symmetric cryptography and public-key cryptography for various processes, taking advantage of the best of two types of algorithms, each performing a different function.
• Symmetric AES (Advanced Encryption Standard) is used for plaintext encryption in emails and files. The keys are used depending on the type of content.
• The asymmetric RSA algorithm (Rivest Shamir Adleman) with a 2048-bit "key" is used to encrypt the symmetric key to ensure confidentiality of the content.

tenant key

• A tenant key is the root encryption key associated with a tenant. In other words, MIP-encrypted content in a tenant is rooted in the tenant key that was active at the time the content was protected.
• The tenant key is used to encrypt other keys, which in turn are used to provide file and email protection and to provide access to users.
• This tenant key is common to all MIP-protected emails and files and can only be changed by the MIP administrator for the tenant.

content key

• Content keys are symmetric keys used to encrypt the content itself (the plaintext).
• The content key is protected with the tenant's RSA key along with the policy in the document that defines access to the content.

• The encryption policy and content key are embedded in the document itself and persist across editions of the document. Document metadata is not encrypted or protected. For more details seeAzure Information Protection (AIP) labeling, classification, and protection | Microsoft documents

Microsoft Rights Management-Dienste

The following section provides an overview of how a customer ramps up the environment so users can begin protecting and leveraging sensitive data.[UE]. This applies to all types of encryption keys used by MSIPC clients. (Referee:How Azure RMS works: Azure Information Protection | Microsoft documents)

Initialize the environment

STEP 1:Before a user can protect content or use protected content on a Windows computer, the user's environment on the device must be prepared. This is a one-time process and occurs automatically without user intervention when a user attempts to protect or use protected content.

The RMS client (also known as the MIP client) on the computer first connects to the Rights Management Service (RMS) and authenticates the user using their Azure Active Directory account.

STEP 2:Once the user has authenticated, the connection is automatically redirected to the organization's MIP tenant, which issues certificates that allow the user to authenticate with RMS to take protected content offline and secure content.

One of these certificates is the Rights Account Certificate, often abbreviated to RAC. This certificate authenticates the user to Azure Active Directory and is valid for 31 days. The RMS client automatically renews the certificate as long as the user's account is still in Azure Active Directory and the account is enabled. This certificate cannot be configured by an administrator.

A copy of this certificate is stored in Azure so that if the user moves to a different device, the certificates will be created with the same keys.

content protection

STEP 1:The RMS client creates a random key (the content key) and uses this key to encrypt the document using the AES symmetric encryption algorithm.

STEP 2:The RMS client creates a certificate that contains a policy for the document, usage rights for users or groups, and other restrictions such as: B. an expiry date contains. These settings can be configured in a template that an administrator previously configured or specified when the content was checked in (sometimes referred to as an "ad hoc policy").

The main Azure AD attribute used to identify selected users and groups is the Azure AD proxy address attribute, which stores all email addresses for a user or group. However, if a user account does not have a value in the AD proxy address attribute, the value of the user's UPN is used.

The RMS client then takes the organization key obtained during user environment initialization and uses that key to encrypt the symmetric content key and policy. The RMS client also signs the policy with the user's certificate, which was obtained when the user's environment was initialized.

LEVEL 3:The RMS client embeds the policy in a file with the pre-encrypted document body, which together form a protected document. This document can be stored anywhere or shared in any way, and the policy always stays with the encrypted document.

consumption of content

STEP 1:The authenticated user sends the document policy and user certificates to the Azure Rights Management service. The service decrypts and evaluates the policy and creates a list of the rights (if any) the user has to the document. The Azure AD proxy addresses attribute for the user's account and the groups the user belongs to is used to identify the user. Group membership is cached for performance reasons. If the user account has no values ​​for the attribute "Azure AD Proxy Addresses", the value "Azure AD User Principal Name" is used.

STEP 2:The service then extracts the AES content key from the decrypted policy. This key is encrypted with the user's RSA public key obtained from the request. The encrypted content key is incorporated into an encrypted user license with a list of user rights, which is then returned to the RMS client.

LEVEL 3:Finally, the RMS client receives the encrypted user license and decrypts it with its own private user key. This allows the RMS client to decrypt the body of the document as needed and display it on the screen. The client also decodes the list of rights and passes it to the application, which applies those rights in the application's user interface.

How Office apps and services support rights management

Office applications and end-user office services also use the Rights Management service to protect data. These office applications are Word, Excel, PowerPoint and Outlook. Office services are Exchange[ii]y Microsoft SharePoint[iii],[4]. Office settings that support the Rights Management service often use the term Information Rights Management (IRM).

Office 365, Office 2019, Office 2016, and Office 2013 app versions have built-in support for Azure Rights Management services. No client computer configuration is required to support IRM functionality for applications such as Word, Excel, PowerPoint, Outlook, and Outlook on the web. All users have to do for these apps on Windows is sign in to their Office apps with their Microsoft 365 credentials. They can protect files and emails and use files and emails protected by others. Office for Mac users must first verify their credentials before they can protect their content.[v]

To enable third-party applications to build native support for file tagging and protection, see the Microsoft Software Development Kit.[vii].Microsoft Information Protection SDK-Dokumentation | Microsoft-Dokumente

Key Management Options

Now that we have a good understanding of encryption and how the IRM client enables this functionality, let's dive into the different encryption key options. Microsoft offers four encryption key management options as part of the MIP offerings. Following the Cloud Shared Responsibility Model guidance, enterprise CISOs and data owners have ultimate responsibility for selecting and implementing the right key option that enables their organization to securely create, use, share, store, archive and destroy. Microsoft's key management options are Microsoft Managed Key (MMK); Bring your own key (BYOK); Keep your own key (HYOK) and Double Key Encryption (DKE). Businesses have the opportunity to choose the right turnkey solution that suits their business scenarios to secure and protect “sensitive and highly confidential” data. All key options are based on the above key elements, which are basically the same everywhere except that the implementation is different for each key.

Typically, a business data scenario has the following structure. Most data, around 80%, is not sensitive data, is not subject to compliance requirements and does not need to be encrypted. Businesses are most concerned about their ~15% sensitive data and ~5% highly sensitive data they want to protect. By using MIP key options, you can protect your data assets. Also, you can use different MIP keys to properly protect different types of sensitive data in your digital assets.

1. Protection of Microsoft Information: Keys managed by Microsoft

Microsoft fully owns and manages the key. Microsoft offers a complete key management solution that allows customers to instantiate their MIP tenant. This is the default option when it meets business needs and is preferred for smaller businesses. It's also the fastest and most effective way to get started with MIP, with the least amount of administration and no special hardware. Support many important operations such as re-enter, revoke, save, export and reply[vii].

High-level architecture of 'Microsoft Managed Key':

singularity:

• Microsoft generates your tenant key and maintains the master copy.
• Customers can export their tenant keys through Microsoft Customer Support Services.
• RMS can use your tenant key to authorize users to open your documents.
• RMS provides log information to show how your protected data is being used.

Advantages:

• Key management is fully managed by Microsoft.
• It is quick and easy to implement with the customer.
• Cost-effective solution with no separate key management hardware/software required.
• Less administration compared to other leading solutions.
• Customers have the option to re-enter the tenant key if a business scenario requires it.
• Microsoft automatically revokes the key when a subscription is canceled so that once revoked, the key can no longer be used to protect or view data.
• The data can be viewed after logging out, provided the customer has exported the TPD.

Challenges:

• Although customers can export their tenant key, they are responsible for protecting the exported key.
• It may take some time for the rewrite to be reflected in all existing clients and services used by the company. This allows the client to choose a new key to protect the data. This does not reprotect existing protected content. Existing protected content can be opened if the old key stored in the file is available, the user has to check out and check in again with the old keys.
• Customers are responsible for initiating the Microsoft tenant key export process.

Use MMK when:

• Organizations don't need to manage their tenant keys.
• You don't have to meet strict regulatory and compliance requirements.

How it works:

• After you activate Azure Information Protection Service, Microsoft generates a tenant key
• Microsoft manages most aspects of the tenant key lifecycle.
• Azure Active Directory authenticates users.
• RMS uses the tenant key to authorize users to open their documents.
• RMS provides log information to show how your protected data is being used.

2. Microsoft Information Protection: Bring your own key

Clients own and manage this key. When organizations need to comply with regulatory requirements, they have the option to bring their own keys, which means they can generate their own keys from anywhere and bring them to Azure Key Vault.

High Level Bring Your Own Key Architecture:

singularity:

• Clients generate and protect the MIP tenant key.
• Microsoft cannot view or export the customer's MIP tenant key as it remains protected by the HSMs.
• It can be software or hardware based with a protected key.

Advantages:

• Customers can use this solution when moving from On Premise (HYOK to BYOK) to the cloud.
• The customer manages the MIP tenant key.
• The customer has full control over the generated key (master copy, backup copy)
• Customers can use custom key specs to meet specific regulatory requirements.
• Enables customers to meet legal and compliance requirements. Customers can audit.
• Customers can securely transfer their keys to Microsoft Hardware Security Modules (HSMs).
• Microsoft can replicate tenant keys across a controlled set of HSMs for scaling or disaster recovery.
• Microsoft may provide log information to show how the tenant key and protected data are being used.

Challenges:

• Customers incur administrative fees when configuring the solution.

Use BYOK if:

• Use BYOK if your organization has key generation compliance regulations, including control of all lifecycle operations. For example, if your key needs to be protected by a hardware security module.

How it works:

• Customers generate their tenant key.
• The customer securely transfers their own tenant key to Microsoft HSMs.
• Your key remains protected by Thales or third-party HSMs.
• RMS can use your tenant key to authorize users to open your documents.
• Microsoft can replicate your tenant key to a controlled set of HSMs for scaling and disaster recovery, but you cannot export it.
• RMS provides log information to show how the tenant key and protected data are being used.

3. Microsoft Information Protection – Keep Your Own Key (ClassicJust)

Note: "Hold Your Own Key" was supported in the "classic" AIP client. As we announced in 2020, the classic AIP client will no longer be supported as of March 31, 2021.HYOK is included here for reference purposes only.'

If organizations want to maintain data opacity at all costs, the hold-your-own-key solution provides that functionality; However, this option is soon discarded in favor of double-key encryption, which is more consistent with the overall history of unified MIP tagging. This allows us to protect the data in such a way that the organization owns the key, the company fully operates its own Active Directory, Rights Management Server and its own hardware security modules for the key. HYOK protection uses a customer-created and managed key in a location isolated from the clouds. Since HYOK protection only allows data access for on-premises apps and services, customers may also need a cloud-based key to manage documents in the cloud.

Arquitectura de alto nivel de 'Keep your own key':

singularity:

• Ideal for cases where opaque data is required and compromises are made.
• Customers implement Azure Information Protection in their organization.
• MIP is hosted in the cloud but allows customers to work in cloud only, on-premises or hybrid.
• Customers set policies for “sensitive” data using RMS.
• Customers set policies using Active Directory (AD) RMS for “sensitive” data
• Ideal for highly sensitive data that is not shared outside the company.

Advantages:

• Microsoft does not have access to on-premises self-hosted keys.
• AD RMS content cannot be consumed by users from different tenants.
• HYOK supports documents and email with AIP Classic Client.
• Good for full control over encrypting your toxic content.

Challenges:

• The client owns Active Directory and the AD RMS server.
• The AD RMS server must not be published on the Internet.
• HYOK only works with AD instance and AD RMS.
• HYOK should only be used with fully managed PCs.
• O365 does not detect AD RMS content (No Search, Live Preview, eDiscovery, Antispam and Antimalware).
• AD RMS based email is not supported and is not supported by Office 365 Message Encryption (OME).
• The data cannot be accessed from mobile devices.
• HYOK does not and will not support Unified AIP tagging. It only works with AIP Classic Client.
• Extremely difficult to manage and implement, and can require special skills and management effort to use and break many of the MIP capabilities that the cloud has to offer.

Use HYOK when:

• Use this option when documents have the highest classification in your organization, e.g. B. Top Secret.
• It is limited to a few people.
• It is not shared outside the organization.
• They are only consumed in internal networks.

How it works:

• Implement Azure Information Protection in your organization, configure labels and policies.
• Implement multiple RMS services in your AIP environment.
• Configure Azure RMS protection policies for "normal" sensitive data.
• Configure AD RMS protection policies for "sensitive" data.
• Store your AD RMS outside of the demilitarized zone (DMZ).
• Configure the RMS connector if you are working in a hybrid environment (on-premises and in the cloud).
• HYOK is designed to be used with fully managed PCs to access "sensitive" data.

4. Microsoft Information Protection: Double Key Encryption (UL AIP-Client)

Two-key encryption is suitable for customers with business-critical data, which is the most sensitive data and requires higher protection and regulation requirements. Double key encryption uses two keys together to access protected content. Microsoft stores one key in Microsoft Azure and the customer keeps the other key. Customers retain full control of one of their keys with dual key encryption service. You can apply protection to your highly sensitive content with the Azure Information Protection unified labeling client.

High-level architecture of double-key cryptography:

singularity:

• Suitable for protecting highly sensitive data for WXP M365 Office Apps for Enterprise.
• DKE helps to meet various regulatory requirements.
• Customers have the option to choose any location (on-premises or in a third-party cloud) to host their DKE service.
• Customers can share encrypted DKE across tenants if users have access to the Azure key and the required permission to access the DKE service.
• Data remains opaque to Microsoft under all circumstances. Only clients can decrypt the data.

Advantages:

• Customers retain full control of their keys. Host your key and store your protected data in a location of your choice - on-premises or in the clouds - it remains opaque to Microsoft.
• Manage user access to your password and content. Choose who has permission for the web service to access your key and decrypt the content.
• Enjoy a consistent labeling experience. Duplicate key encryption labels work like other confidentiality labels in the Microsoft information protection ecosystem, ensuring a consistent end-user and administrator experience.
• Simplify deployment.Referenzcodeand instructions help implement the double key encryption service used to request your key. We support the reference implementation hosted on GitHub. Any change to the reference implementation is at the customer's own risk and responsibility.

Challenges:

• Customers must implement and manage their own DKE service.
• As of today, DKE only supports AIP UL Client (no Office built-in sensitivity marking) and only for documents, but this may change in the future.
• There are services that cannot be used with DKE-encrypted content (examples: transport rules, including anti-malware and spam, that require visibility of attachments, Microsoft Delve, eDiscovery, content search and indexing, Office Web Apps, including co-authoring -functionality). (Double Key Encryption (DKE) - Microsoft 365 Compliance | Microsoft documents)
• External applications or services that are not integrated with DKE via the MIP-SDK cannot perform any actions on the encrypted data.

Use a DKE when:

• Double Key Encryption is for your most sensitive data subject to the strictest protection requirements.
• Customers want to be sure that only they can decrypt protected content under all circumstances.
• The company doesn't want Microsoft to have access to its proprietary data on its behalf.
• There are government requirements to keep keys within a geographic boundary. With DKE, customers can host their DKE keys and services in a location of their choice.

How it works:

• If you haven't already configured the Azure Information Protection service with MMK or BYOK
• Deploy the double key encryption service at your preferred location i.e. on-premises or in the cloud.
• Microsoft Office + AIP-Client Unified-Labeling-Client-Bootstraps für den AIP-Dienst.
• The AIP service sends the client's public key to the Office client, which is cached for 30 days.
• Microsoft Office + AIP Unified Label Customer Requests Customer Controlled Audience of DKE Service
• The document metadata that controls access to the document is encrypted with the DKE key.
• The encrypted part of the metadata is further encrypted with AIP, which double-encrypts the document.

Summary

*With the discontinuation of the AIP Classic client, HYOK is no longer relevant. Documented for reference only.

The table below shows a rough comparison between the different MIP switch options. IT admins can evaluate the different aspects to choose the most suitable option for their business scenario.

Table 1: Main options and main actions

action	MMK	BUENO	HYOK*	DKE
Revoke a tenant key.
Re-enter your tenant password.
Backup and restore your tenant key.
Clients can export tenant keys.
Microsoft can export tenant keys.

Table 2: Main options and administrative effort:

administrative burden	MMK	BUENO	HYOK*	DKE
Low		-	-	-
Moderate	-		-	-
Alt	-	-

Table 3: Main License Options and Requirements:

license	MMK	BUENO	HYOK*	DKE
AIP P1
AIP P2
M365 E3
M365 E5

Tabla 4:Kompatible Apps:

Compatible Applications	MMK	BUENO	HYOK*	DKE
One unity
SharePoint-Online
online exchange
Microsoft 365 (Office 365 Word, Excel, PowerPoint)
Microsoft 365 (Office 365 – E-Mail)
local exchange
Local from SharePoint
equipment

Tabla 5:Kompatible Apps:

platform	MMK	BUENO	HYOK*	DKE
Window
iOS
Android

Frequently Asked Questions

How to renew symmetric keys

https://docs.microsoft.com/en-us/azure/information-protection/develop/how-to-renew-metric-key

To export tenant keys to MMK:

https://docs.microsoft.com/en-us/azure/information-protection/operations-microsoft-managed-tenant-ke...

What are the DKE license requirements?

https://docs.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/mi...

How to configure DKE

https://docs.microsoft.com/en-us/microsoft-365/compliance/double-key-encryption?view=o365-worldwide

references

[UE] How Azure RMS works: Azure Information Protection | Microsoft documents

[ii]

[iii]

[4] Enable sensitivity labels for Office files in SharePoint and OneDrive - Microsoft 365 compliance | Meter...

[v] Setup for customers to use Office applications with Azure RMS by AIP | Microsoft documents

[vi] Licenses and certificates and how AD RMS protects and uses documents

[vii] Microsoft Information Protection SDK-Dokumentation | Microsoft-Dokumente

[vii] Managed by Microsoft: AIP Tenant Key Lifecycle Operations | Microsoft documents

[ix] Customer Managed: Key AIP Tenant Lifecycle Operations | Microsoft documents

[X] How to prepare an Azure Information Protection exit from the cloud plan

[XI] Details Bring your own key (BYOK): Azure Information Protection | Microsoft-Dokumente

[xii]

[xiii] Details Bring your own key (BYOK): Azure Information Protection | Microsoft-Dokumente

[xiv]Operations on your Azure Information Protection tenant key

[xv]Host DKE on IIS using local server - Microsoft Tech Community

[xxx]Implementing Scenarios DKE B2B - Microsoft Tech Community