Security Incident Response

If you think you have or know you have a Security Incident please fill in the form and our experienced Onevinn CSIRT team will reach out shortly.
The team has long experience in supporting customers in Incident Response and Compromised Recovery.
Keep calm and we will be with you shortly!

Christopher Lindström 15 Oct 2021
1 min

Onevinn PKI based Double Key Encryption

In some cases an organization wants to hold their own encryption keys (HYOK) and this is where Onevinn PKI based DKE comes in.

This is a service that is hosted in your organization and your organization has full control of these keys, meaning that not even Microsoft has a way of reading your data.

What is Double Key Encryption?

Double Key Encryption (DKE) is something you could use for your organizations most sensitive data which is subject to enhanced protection and regulatory requirements. DKE uses two keys together to access the data. One key is stored by Microsoft in Microsoft Azure and the other one is held/hosted by your organization. Protection could then be applied using sensitivity labels within Microsoft Information Protection for your most sensitive data.

For other data that needs protection it's preferred to use Microsoft Managed Key (MMK) or Bring Your Own Key (BYOK) within Microsoft Information Protection. This will allow you to take advantage of features such as:

  • Microsoft Teams Integration
  • Office Web Apps including coauthoring functionality
  • Transport rules including anti-malware and spam that require visibility into the attachment
  • Microsoft Delve
  • eDiscovery
  • Content search and indexing

These features above cannot be used with information protected by DKE.

DKE can be used in the following scenarios:

  • When you want to control the access of your own keys
  • When you do not want Microsoft to have access to the protected data
  • When you have regulatory requirements to hold the keys within a geographical boundary

What is Onevinn PKI based DKE?

Handling your own encryption keys means a great responsibility when it comes to both technology but above all processes.

Onevinn have worked with AD RMS, Azure RMS, Azure Information Protection and Microsoft Information Protection for several years and have now developed a service for DKE, Onevinn PKI based DKE.
Onevinns PKI based DKE solution is built on your existing Public Key Infrastructure (PKI)*.

* Public Key Infrastructure (PKI) is a combination of processes, technologies, and policies that allows you to create, manage, distribute, store and revoke digital certificates and encryption keys.

Some of the key functions for Onevinn PKI based DKE are:

  • Central Management with integration of existing PKI processes and routines
  • Integration of internal Public Key Infrastructure (PKI)
  • Utilizing of existing infrastructure for key usage rights

Some of the benefits includes:

  • An option to use Hardware Security Module (HSM) for higher level of security
  • Centralized management of keys in an internal PKI


If you would like to learn more about DKE, please have a look at this webinar or read about our solution here!