double key encryption
Two-tier security for the most sensitive data in Azure Cloud

Double Key Encryption

Double Key Encryption - protect highly sensitive data whilst remaining in full control of your encryption key

Businesses and employees across every industry are using tools like Microsoft 365 to enhance their productivity, and Microsoft Purview (formerly Microsoft 365 Compliance) to safeguard and manage the assets across clouds, apps and endpoints, whilst managing risk and regulatory compliance. Microsoft Purview Double Key Encryption (DKE) technology - is one of the most significant developments in Microsoft Information Protection. DKE technology can be considered to be the new ‘Hold Your Own Key (HYOK) option for Azure Information Protocol (AIP), giving organizations complete control over their cryptographic keys and allowing them to protect their most sensitive Microsoft content.

DKE uses two keys together to protect data - one key remains in the control of the customer, and the other key is stored securely in Microsoft Azure. Without access to both keys, the relevant data remains securely encrypted. As a result, the data remains secure if a key is compromised outside of the customer's control.

Prime examples where DKE is relevant would be in highly regulated sectors such as financial services and healthcare where the most sensitive data can be subject to the strictest protection, control, and assurance requirements. It is in this instance that implementation using software-based keys may not be sufficient to meet enhanced compliance obligations. Therefore, a recommended solution such as the UTIMACO DKE Anchor would enhance security and provide compliance to the DKE service.


The customer DKE key is generated and protected using a FIPS 140-2 Level 3, Common Criteria EAL4+ certified and VS-NfD approved HSM and is used to ensure that the customer’s sensitive data is hosted separately compared to the encryption keys. The data is then encrypted again, this time with the Azure Information Protection (AIP) key provided by Microsoft. The process ensures that 3rd parties, including Microsoft, do not have access to the customer’s content. Reviewing data with DKE requires access to both keys.

Replacing Microsoft Azure Hold Your Own Key (HYOK) with Double Key Encryption means that the customer no longer has to manage their own Active Directory and Rights Management Servers. Instead, with DKE, UTIMACO DKE Anchor provides the cryptographic keys. Customers benefit from a highly protected, central, and single source of keys, that meet enhanced compliance obligations alongside a convenient centralized audit alternative.

Business value

Business value


Data Loss Prevention

Prevents data loss across endpoints, employees, online exchange, SharePoint Online, OneDrive for Business and Office Apps


Control Your keys

Manage user access to your key and content. Choose who has permission for the web service to access your key and decrypt content. Data remains opaque to Microsoft under all circumstances. Only customers can decrypt the data.


Meet Compliance Standards

Provide crypto security fulfilling all compliance mandates


Flexible Deployment

Enable easy deployment and management of a DKE service by utilizing UTIMACO DKE Anchor as a solution

Deployment options

Deployment options


On Premise

  • Useful for centralized use cases without a requirement of scalability or remote accessibility and existing legacy infrastructure
  • Defined total cost of ownership
  • Complete control on hardware and software, including configuration and upgrades
  • Secured uptime in areas with insatiable internet connectivity
  • Preferred choice in industry-segments where regulation imposes restrictions

In the Cloud

  • Strategic architectural fit & risk management for your high value assets
  • Provides flexibility, scalability, and availability of HSM-as-a-service
  • Ideal for a multi-cloud strategy, supporting multi-cloud deployments & allows for migration flexibility
  • Easy-to-use remote management and on-site key ceremony service option
  • Full control over data through encryption key lifecycle and key administration

Contact us

We look forward to answering your questions.

How can we help you?

Talk to one of our specialists and find out how Utimaco can support you today.