What is double key encryption, and how does it enhance security?

Encryption has always been a cornerstone of information security, even since long before the age of computers and the internet. Today, businesses rely on encryption to protect data both while it’s in storage and while it’s in transit between cloud-based apps and end-user devices. To that end, it has become a critical enabler of secure hybrid work environments.

Most encryption algorithms follow the Advanced Encryption Standard (AES) with 256-bit key lengths, the longest allowed by the standard. These keys are impossible to crack using a brute force attack (at this time, AES has never been cracked and is designated as safe against any brute force attacks), but that doesn’t mean they’re not vulnerable to phishing attacks and other threats. After all, there are many other ways an attacker might get their hands on an encryption key, regardless of its length. This is one of the reasons behind Microsoft’s recent introduction of its double encryption key service. 

Most consumer-grade messaging apps use end-to-end encryption, where the data is encrypted on the sender’s device or system, and the intended recipient is the only one who can decrypt it. However, while this approach offers a high degree of security, it’s problematic for companies, since they need to have control over their own encryption keys to comply with record-keeping requirements and digital sovereignty policies.

As a leading innovator in enterprise technology, Microsoft recently released the public preview of its double key encryption (DKE) service. DKE was created to address the question of where enterprise users should store their decryption keys. If only the vendor, in this case Microsoft, has access to the decryption key, then they have ultimate control over access to the data that it protects.

DKE solves this dilemma by using two keys, one which is hosted in the cloud and used by the provider, while the other is held only by the customer. To access the data, both parties need to provide their decryption keys. It’s analogous to a missile launch, in which two people need to turn their keys at the same time.

DKE is an inherently time-consuming and cumbersome process. It presents serious barriers to productivity and accessibility, which can’t easily be resolved. Many of the core functions of Microsoft 365, such as SharePoint search, data loss prevention, and archiving services, won’t work when attempting to access systems protected by DKE. While support for the technology will likely improve as it moves from the public preview to the general availability stage, these issues are largely the trade-off to the top-level security that DKE provides.

Implementing DKE is also a fairly complex process, and one that goes far beyond checking a box. Security teams will need to establish a DKE server that will manage their encryption keys, before integrating it into their Microsoft 365 deployment.

DKE isn’t intended for everyday business use. Rather, it’s intended for very specific use cases that have specialized requirements, such as protecting top-level government or military data or highly classified intellectual property. In certain cases, organizations may also be subject to strict regulatory requirements that disallow them from granting their cloud providers access to their data. 

Organizations with strict data sovereignty needs may also be required to store their decryption keys in specific geographic regions and jurisdictions. For example, even though organizations can typically choose which data centers to use, vendors can typically still access the customer data, since they generally host the decryption keys. This means, in this case, the US-based Microsoft ultimately has access to data belonging to clients in the EU and elsewhere.

In the past, organizations subject to these conditions would run their apps and services in their own data centers and avoid using the cloud. However, the availability of solutions like BYOK and DKE help make the case for migrating to the cloud in such situations more compelling.

In the era of universal cloud computing, highly regulated businesses face a constant challenge to balance security with regulatory compliance and accessibility. End-to-end encryption, where keys are handled entirely by the vendor, might offer strong security. However, it also means the vendor can access your data, should they be compelled to by a subpoena. Furthermore, if the vendor is compromised, then so too might your data be compromised. At the same time, end-to-end encryption makes it impossible to comply with record-keeping requirements, which is why most business communications apps don’t use it. Instead, they use key management solutions like HYOK, which gives both parties equal degree of control over their keys, which may also be used independently of one another.

There’s no better way to protect sensitive and regulated data than by having complete control over your encryption keys. DKE grants that control, but it’s an inherently cumbersome method, owing to the fact there must always be two parties involved. 

Instead, the best approach is often to encrypt data and manage your encryption keys locally. For example, if you’re using Microsoft Teams, a third-party solution like Worldr encrypts your messages independently from Microsoft, before they are transmitted through the cloud. That way, even Microsoft can’t access your data, since they will only have control over their own encryption layer. That’s a lot simpler than using DKE in everyday business use cases like team communications.