Skip to main content
banner image
venafi logo

Microsoft Previews Double Key Encryption for Microsoft 365

Microsoft Previews Double Key Encryption for Microsoft 365

double key encryption
July 30, 2020 | Scott Carter

Most organizations struggle to control the exploding numbers of machine identities that they rely on for secure connections and communications. This is further complicated, as organizations embrace digital transformation, where they may be tempted to turn over the responsibility of managing encryption keys to cloud providers. While this may prove to be efficient, it is not the most strategic choice for an organization’s security posture. Nowhere is tight control of encryption keys more important than in highly regulated environments, such as financial services and healthcare.


Microsoft has now recognized the need for enterprises to maintain control of their own risk profiles for encryption in the cloud. Last week, Microsoft launched the public preview of a new security feature for Microsoft 365—double key encryption. Double key encryption enables enterprises to protect highly sensitive data while keeping full control of their encryption keys.

Microsoft explains how the double key encryption feature works to ZDnet, "It uses two keys to protect your data - one key in your control, and a second key is stored securely in Microsoft Azure.”

Microsoft added, "Viewing data protected with double key encryption requires access to both keys. Since Microsoft can access only one of these keys, your protected data remains inaccessible to Microsoft, ensuring that you have full control over its privacy and security."

Pratik Salva, senior security engineer at Venafi notes, "When looking at the double key encryption, one is reminded of the famous two-man rule implemented in some form or variation by a lot of banks and certain other entities. While it isn’t an ideal decentralized client-side key management model where the customer is made as the only key custodian, double key encryption still decentralizes and overall manages to impact (primarily) the security principles of access control and accountability in a relatively positive way.”  

Double key encryption can play to your advantage in at least two possible scenarios, as reported in ZDnet. It can safeguard sensitive intellectual property and it can ensure confidentiality in highly regulated environments.

  1. Safeguarding sensitive intellectual property. If your organization has proprietary information that you’d like to move into the cloud, then using the Cloud provider’s key to encrypt that data won’t adequately protect it. You may still be concerned that your cloud provider may grant third-party access to the data or have an operator that may inadvertently decrypt sensitive information. With double key encryption, you could encrypt your sensitive content with your own key, and then proceed to re-encrypt it with your cloud provider's key.
  2. Ensuring confidentiality highly regulated environments. Your organization (or government agency) may want to share confidential information with a contractor via a cloud platform. However, your organization’s data policies may require that certain information remains opaque to third parties. In that case, you would use double key encryption to encrypt your information before sharing it with a third party over a cloud platform. It’s an effective way to guarantee that the cloud provider doesn’t have access to the content—only the intended recipients do.

But even though the move towards double key encryption can help in minimizing the risk of exploitation of a compromised key or at the very least make it frustratingly difficult for an attacker to do such, it still doesn’t necessarily alleviate the concern of key exposure. “Cryptographic keys have always been a significant security Achilles heel for a lot of companies who either are cloud-based or are strongly preparing to become one. There are still both known and unknown threats that can result in a key being compromised,” warns Savla.   

Savla continues, “Even with improved risk awareness these days, one sees many instances where enterprises might not even know that their key(s) has been compromised until much later, which makes a number of threats still very real and relevant. One may only consider encryption as a fail-safe mechanism as long as decryption is not possible."

Either way, you still have to be sure that you protect all of your private keys. Do you know where all of your organization’s private keys are and who’s using them? Learn more about machine identity management.

Related posts


Like this blog? We think you will love this.
Featured Blog

Traditional Security Won’t Cut It for Secure Cloud-Native Applications: Here’s Why

The risks of securing cloud-native with traditional security measu

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more