Integrate Microsoft Double Key Encryption with Entrust nShield HSMs
Microsoft Double Key Encryption for Azure Information Protection (AIP) helps enterprises protect their most sensitive Office 365 content. Entrust Double Key Encryption for Microsoft AIP, offered by Entrust Professional Services, integrates certified Entrust nShield® hardware security modules (HSMs) to provide a root of trust for the protection of sensitive cryptographic keys. The tools and hardware give you complete ownership and control of the software that underpins the double key generation process, with no Microsoft footprint on your premises.
Replacing Microsoft Azure Hold your Own Key (HYOK), Double Key Encryption does not require you to operate your own Active Directory and Rights Management Servers. Instead, you can provide your own cryptographic keys, protected with your nShield HSMs, in real-time.
Based on this architecture, you don’t just control your key, you also control the software that manages it. This integrated solution is particularly suitable if you need to:
- Protect sensitive high value artifacts
- Comply with industry and regulatory mandates governing the control of your keys and data
How it works
Double Key Encryption (DKE) utilizes two component keys to protect highly sensitive data — a key that is in the customer’s control and a Microsoft key stored securely in Microsoft Azure. The customer DKE key is generated and protected using a robust FIPS 140-2 Level 3 and Common Criteria EAL4+ certified Entrust nShield(R) HSM and is used to encrypt the organization’s sensitive data. The data is then encrypted again this time with the Azure Information Protection (AIP) key provided by Microsoft. The process ensures 3rd parties including Microsoft do not have access to the customer's content.
Integrating Entrust nShield HSMs
Entrust Double Key Encryption is supported by FIPS 140-2 Level 3 and Common Criteria EAL4+ certified nShield Solo XC (PCIe) and nShield Connect XC (network-attached) HSMs. These HSMs hold the master key protecting the Double Key Encryption server and key store. Four nShield HSMs are typically deployed for redundancy across production and disaster recovery environments.
Entrust nShield HSMs are among the highest-performing, most secure and easy-to-integrate HSM solutions available. They facilitate regulatory compliance and deliver the highest levels of data and application security for enterprise, financial, government, and other organizations that need to protect their data. The unique nShield Security World key management architecture provides strong, granular controls over access and usage of keys.
Double Key Encryption Benefits
Apply two layers of security to your most sensitive content in Azure cloud.
Manage user (including Microsoft) access to your key and the content protected by the key.
Own and fully control your keys and the software that generates your key.
Host your key and store your critical data in the location of your choice.