Microsoft DKE APIs
CCKM provides support for Double Key Encryption (DKE) for Microsoft 365. With DKE, two keys are used to access content (such as files or documents) that is protected with the sensitivity labels that you apply when using any one of the supported Microsoft Office apps. You hold one key in CCKM, which you maintain full control over using the using Microsoft’s Double Key Encryption service. The other is securely stored within Microsoft Azure. To decrypt and gain access to the protected content, both keys are required. Since Microsoft holds only one of the keys, this solution ensures that Microsoft cannot independently access this content. Only your authorized users can access the protected content.
Only your highly confidential data should be protected by DKE, which is typically a small percentage of your organization’s overall data. For more information about DKE, guidance on what type of content to protect, the supported office applications, and other information, refer to Double Key Encryption.
DKE encryption workflow
-
User adds a DKE label to a document. The Microsoft Office client connects to Azure RMS (Protection Service).
-
User certificate, API templates, and Azure RMS key are sent to the Microsoft Office client.
-
Microsoft Office client requests CCKM for the DKE public key associated with the applied label.
-
CCKM verifies the request. After authorization succeeds, CCKM sends the DKE public key to the Microsoft Office client.
-
Microsoft Office client encrypts the document content with the content key.
-
Microsoft Office client encrypts the part of the metadata that controls access to the content with the DKE public key.
-
Microsoft Office client encrypts the encrypted metadata with the Azure RMS key.
The content is protected with the double-encrypted content key, RMS key and DKE public key. The following illustration shows the DKE encryption workflow:
DKE decryption workflow
-
User opens a document which has a DKE label. The Microsoft Office client first sends the double-encrypted metadata to Azure RMS (Protection Service).
-
Azure RMS (Protection Service) decrypts the double-encrypted metadata using the Azure RMS key and returns the simple-encrypted metadata.
-
Microsoft Office client sends the simple-encrypted metadata to CCKM and requests CCKM to decrypt it.
-
CCKM verifies the request and goes through the authorization process. When authorization passes successfully, CCKM decrypts the simple-encrypted metadata and returns the decrypted metadata to the Microsoft Office client.
-
Microsoft Office client uses the content key to decrypt the document. The user can view the document content.
The following illustration shows the DKE decryption workflow:
The following are the high-level steps to configure DKE within Microsoft and CipherTrust Data Security Platform Service/CCKM:
Prerequisites
In preparation for deploying DKE, ensure that the following prerequisites are met:
-
Microsoft 365 E5 License: Windows clients must have a Microsoft 365 E5 license. Refer to information about system and licensing requirements for DKE for more information these licensing requirements.
Note
CCKM supports built-in sensitivity labeling with Office apps. CCKM does not support Azure Information Protection unified labeling client, which is to be deprecated in the future.
-
User Presence in Azure Directory: Users who are to create and share documents or files protected by DKE must be part of the Azure Active Directory (Azure AD) associated with the organization's tenant.
Note
-
DKE is not supported on applications running on mobile devices.
-
DKE is only tested with Windows clients. DKE is not tested with Mac, iOS, and Android clients.
-
To configure the B2B cross-tenant access settings, refer to Configure cross-tenant access settings for B2B collaboration.
-
Configure DKE on CCKM
To configure DKE on CCKM, do the following:
-
From CCKM GUI or API, create a DKE endpoint. Refer to Creating Microsoft DKE Endpoints for details on how to create a DKE endpoint from CCKM GUI or Creating Microsoft DKE Endpoints using CCKM API.
Note
-
Only Azure AD users are currently supported. The email addresses included in the API call must be associated with a user Azure AD. The email address parameter an optional field applicable only if authorization_type is set to email.
If you specified one or more email addresses in a DKE endpoint, this field would be validated against JWT received in the decrypt operation.
-
A Microsoft Office 365 client user and email (if configured in CipherTrust Data Security Platform Service) must match.
-
The Issuer field must be specific to the tenant configured in the Microsoft Azure Portal.
-
Grant the Azure Application Consent to Encrypt Data
Your organization must grant consent to use Thales's Azure application to encrypt data. If you do not have the Azure admin rights, please ask your Azure admin to grant the admin consent.
You need to share the consent grant URI to your admin, in the format https://login.microsoftonline.com/{organization}/adminconsent?client_id={client-id}
. In the URI, the {organization} is your Directory (tenant) ID
and {client-id} is a Thales Application (client) ID
.
The following client IDs apply to the CipherTrust Data Security Platform Service:
-
EU region (ciphertrust.dpondemand.io): 7ef928d6-5bcf-4e1c-bd1c-c083a259d54b
-
USA region (us1.ciphertrust.dpondemand.io): b6f080d7-21fe-4f64-a5d7-0855aed5fbe7
Create your DKE sensitivity labels
After successfully configuring DKE on CCKM, you are ready to create your DKE sensitivity labels from the Microsoft Compliance portal. Refer to Create sensitivity labels using DKE for details.
When creating a sensitivity label, ensure to do the following:
- Select Apply or remove Encryption on the protection settings for labeled items page.
- Select the Use Double Key Encryption checkbox to enable DKE on the Encryption page. Enter the the value of the
key_uri
received in the API response when you created a DKE endpoint using thecreate DKE endpoint
API.
Note
After a label is published by the defining policy, it may take up to 24 hours for a label to be made available (after the label policy is published) for use in a Microsoft 365 Apps, such as Word or PowerPoint.
Note
For labels that are configured to have Offline Access set to Never, the decrypt requests will be sent to the CipherTrust Data Security Platform Service. Otherwise, if labels are configured to have Offline Access set to Always, the decrypt requests will not be sent to the CipherTrust Data Security Platform Service
Refer to the following DKE API sections:
Note
Users of the CCKM Admins group can manage DKE endpoints, whereas the users of the CCKM Users group can only view the DKE endpoints.
Tip
The mandatory API request parameters are written in bold.