Fortanix Data Security Manager with Double Key Encryption for Microsoft 365

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Microsoft 365 Double Key Encryption (DKE).

It also contains the information that a user needs to:

• Create an Encryption Key in Fortanix DSM.

• Configure and deploy the DKE Service in Microsoft Azure/IIS.

• Create a Sensitivity label with DKE encryption enabled in the Microsoft 365 account.

• Use Double Key Encryption labels to protect data.

2.0 Infrastructure Requirements

• Fortanix DSM service must be accessible from DKE services.

• DKE service SSL (Secure Sockets Layer) certificate must be signed by a Public Certificate Authority (CA).

• Microsoft Office 365 users must install the Microsoft Unified Labelling Client on their machines.

• Connectivity between the DKE service and the Microsoft 365 service must exist.

3.0 Prerequisites

Ensure the following:

• Fortanix DSM must be accessible. For more information, refer to Section 6.1: Signing Up and Section 6.2: Creating an Account.

• Windows Server configured with IIS Server if deploying DKE service on-premises. The minimum configuration required is 4vcpu and 16 GB of memory.

• Admin user access to Microsoft Compliance Centre https://compliance.microsoft.com/ for creating labels.

• For Microsoft (MS) Office end-user: Microsoft 365 Apps for enterprise version 2009 or later installed on your Windows Desktop.

  • Ensure Microsoft Active Directory Rights Management Services Client file msipc.dll is installed at one of these locations.

    • C:\Program Files (x86)\Microsoft Office\root\Office16\MSIPC

    • C:\Program Files\Microsoft Office\root\Office16\MSIPC

  • If not present, try reinstalling MS Office.

• Install the Azure Information Protection unified labeling client on Microsoft (MS) Office end-user machines. For more information, refer to
  Microsoft Purview Information Protection client.

• On each client, open the Registry Editor and check that the following registry values are defined:

  [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIPC\flighting]
  "DoubleKeyProtection"=dword:00000001
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\flighting]
  "DoubleKeyProtection"=dword:00000001

  NOTE

  Some registry keys may also need to be created.

• Public CA-signed certificate for DKE Service.

4.0 DKE Best Practices

• Avoid creating multiple labels for similar data classification categories. Publish the label to only the required group of people.

• Create a rotation policy for the keys and do not delete the old keys until all the documents are relabelled.

• Create a group quorum policy so that no changes are made at the group level without approval.

• Restrict the exposure of the DKE service to your client machines and Azure Active Directory (AD).

• While troubleshooting any DKE-related issue, look for errors/clues in the:

  • DKE server event viewer logs

  • Fortanix DSM backend logs

  • Azure information protection logs on the client machine

5.0 Key Management Support with DKE

• DKE service currently supports RSA 2048 and 4096 keys.

• Key rotation is supported today with Fortanix’s provided DKE service.

• Once the key is rotated, do not perform the key delete or destroy operation until documents are relabeled with the rotated key.

• Set an expiry to the rotated key, which will expire after a few days of key rotations (1-2 weeks).

• You can choose to create different data classification labels, like Classified, Confidential, and Private, with different encryption keys. All Fortanix DSM keys for labels must exist in the same group.

• Each label in the Azure compliance center maps to a key in Fortanix DSM. You can create multiple labels and each label will have a different key from Fortanix DSM.

• Key Created in Fortanix DSM policy must have a padding policy with:

  • Encryption - OAEP Hashing Algorithm SHA256

  • Signature - PKCS1v15, PSS Hashing Algorithm SHA256

• Keys created in Fortanix DSM must have Encrypt, Decrypt, Wrap, Unwrap, and AppManageable permissions. It can have EXPORT permission for future migrations.

• Define the Quorum approval policy on the group to restrict any unwarranted key modifications.

6.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

6.1 Signing Up

6.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

6.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

6.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, do the following:

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. Assigning the new app to groups: Select the group created in Section 6.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

6.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 6.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click VIEW API KEY DETAILS.

3. From the API Key Details dialog box, copy the API Key of the app to use it in Section 7.2.4: DSM API Key.

6.6 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 6.4: Creating an Application to go to the detailed view of the app.

2. From the top of the app’s page, click the copy icon next to the app UUID to copy it to use in Section 7.1: Deploy on IIS, Step 4(b) as the value of Common Name (CN) to generate the certificate.

6.7 Creating a Security Object

Perform the following steps to generate an RSA key in the Fortanix DSM:

1. In the DSM left navigation panel, click the Security Objects menu item, and then click the+ button to create a new security object.

   

2. On the Add new Security Object page, do the following:

   1. Security Object name: Enter the name for your security object. For example, MicrosoftDKEServiceKey.

   2. Group: Select the group as created in Section 6.3: Creating a Group.

   3. Select the GENERATE radio button.

   4. In the Choose a type section, select the RSA key type.

   5. In the Key Size section, set the key size to 2048 or 4096 bits.

   6. In the Key operations permitted section, set the required operations to Encrypt, Decrypt, WrapKey, UnwrapKey, Sign, and Verify, as shown in the figure below.

      

3. Click GENERATE to create the new security object.

4. You must modify the Padding Policy. Click SAVE.

   

7.0 Deploy DKE Service

A Double Key Encryption Service is required to be deployed, which exposes the external key for use by Microsoft 365 services. Microsoft provides a sample DKE Service code which works with the local encryption key file https://github.com/Azure-Samples/DoubleKeyEncryptionService.

The Fortanix DKE Service has been enhanced to support Fortanix DSM Keys. This now serves keys and offloads decryption operations to Fortanix DSM, instead of operating on local key files.

The DKE service can be easily installed as an Azure App Service or on your on-premises IIS Server.

7.1 Deploy on IIS

1. Download the DKE Service deployment bundle from here.

2. Install Microsoft .NET Core SDK 3.1.416 (x64) and Microsoft .NET 6.0.2 - Windows Server Hosting for AspNetCoreModuleV2 dependencies.

3. Unzip this zip file into the IIS wwwroot folder. For example: C:\inetpub\wwwroot

   1. Edit the appsettings.json file and add configurations as per Section 7.2: Configure DKE Service.

4. Get the public SSL certificate and key for the Fully Qualified Domain Name (FQDN) of the DKE Service and install them in the Local Machine/Personal certificate store. You can do this in one of the following ways:

   1. Install the Personal Information Exchange (PFX) file provided by your public certificate provider into Local Machine/Personal. Verify that the certificate has access to the private key.

   2. Alternatively, create a Certificate Signing Request (CSR) and private key using OpenSSL, then submit the CSR to your public certificate provider for signing. Make sure to update certificate parameters such as country, state, organization, and so on, and set the Common Name (CN) to the Fortanix app UUID as copied in Section 6.6: Copying the App UUID.

      openssl req -newkey rsa:2048 -nodes -keyout <privatekey>.key -out <csr file>

      Provide the generated CSR file to a trusted CA for signing.

      Once you receive the signed certificate (usually in .crt or .pem format), create a PFX file by combining the certificate and its private key as shown below:

      openssl pkcs12 -export \
        -out certificate.pfx \
        -inkey <privatekey>.key \
        -in <certificate>.crt

      You will be prompted to set an export password for the PFX file.

      Import the generated PFX file into the Local Machine/Personal certificate store.

      

5. Create an IIS site using the path. Install an SSL certificate on the site so that DKE can communicate with Azure AD.

   

7.2 Configure DKE Service

The DKE service requires a few configurations to be set up as explained in the sections below. Set the deployment configuration in the file appsettings.json as follows:

7.2.1 Tenant ID

Edit the section ValidIssuers and update the value: https://sts.windows.net/<tenantid>/ .

Where, <tenantid> is the Azure Active Directory tenant ID.

For example:

"AzureAd": {
       "Instance": "https://login.microsoftonline.com/",
       "ClientId": "[Client_id-of-web-api-eg-2ec40e65-ba09-4853-bcde-bcb60029e596]",
       "TenantId": "common",
       "Authority": "https://login.microsoftonline.com/common/v2.0",
       "TokenValidationParameters": {
               "ValidIssuers": [
                        "https://sts.windows.net/9c99431e-b513-44be- a7d9-e7b500002d4b/"
               ]
       }
}

7.2.2 JWT Audience

Edit the section JwtAudience with the endpoint of the IIS server or Azure App Service endpoint.

For example:

"JwtAudience" : "https://dkeservice.mycompanydomain.com"

7.2.3 DSM API Endpoint

Edit the section FortanixDSMConfig:ApiEndpoint with the endpoint of the Fortanix DSM cluster.

For example:

"FortanixDSMConfig": {
     "ApiEndpoint": "https://<fortanix_dsm_url>"
}

7.2.4 DSM API Key

Edit the section FortanixDSMConfig:ApiKey with the authentication Fortanix DSM API key as copied in Section 6.5: Copying an API Key.

For example:

"FortanixDSMConfig": {
"ApiKey": "BJ0oijJYHYU78h6g...05KGkh84GJLK"
}

7.2.5 Authorized Email Addresses

Add a section AuthorizedEmailAddress with the list of specific users allowed to use Fortanix DSM Keys for decryption. If this is empty or not present, then all the users from your Azure AD tenant are allowed access.

For example:

"AuthorizedEmailAddress": ["userA@xyz.com", "userB@xyz.com"]

7.2.6 Final Configuration

The following is an example of the final appsettings.json file:

{ 
     "AzureAd": {
              "Instance": "https://login.microsoftonline.com/",
              "ClientId": "[Client_id-of-web-api-eg-2ec40e65-ba09-4853-bcde-bcb60029e596]",
              "TenantId": "common",
              "Authority": "https://login.microsoftonline.com/common/v2.0",
              "TokenValidationParameters": {
                       "ValidIssuers": ["https://sts.windows.net/9c99431e-b513-44be-a7d9-e7b500002d4b/"]
              }
     },
     "Logging": {
             "LogLevel": {
                      "Default": "Information"
             },
             "EventLog": {
                      "LogLevel": {
                               "Default": "Information"
                       }
             }
     },
     "AllowedHosts": "*",
     "JwtAuthorization": "https://login.windows.net/common/oauth2/authorize",
     "JwtAudience" : "https://dkeservice.mycompanydomain.com",
     "AuthorizedEmailAddress": ["userA@xyz.com", "userB@xyz.com"],
     "FortanixDSMConfig": {
              "ApiEndpoint": "https://<fortanix_dsm_url>",
              "ApiKey": "BJ0oijJY...0kh84GJLK"
     }
}

7.3 Register DKE App in Azure AD

The deployed DKE Service must be registered for Microsoft 365 access. This registration allows Microsoft apps to generate authentication tokens for the DKE service.

1. In your browser, open the Microsoft Azure portal, and go to All Services → Other → App registrations.

2. Select New registration and enter a meaningful name.

3. Select an account type from the options displayed (usually the value to be selected is “Single tenant”).

   

4. At the bottom of the page, select Register to create the new App Registration.

5. In your new App Registration, in the left pane, under Manage, select Authentication.

6. In the Platform configurations, click Add a platform.

   

7. On the Configure platforms dialog box, select Web.

   

8. In the Configure Web form:

   1. Under Redirect URIs, enter the URI of your double key encryption service. Enter the DKE Service Endpoint URL, For example: https://dkeservice.fortanix.com

   2. Under Implicit grant and hybrid flows, select the ID tokens check box.

   3. Click Configure to save your changes.

9. On the left pane, select Expose an API, then next to Application ID URI, and click Set.

10. Enter the DKE Service endpoint URL, For example: https://dkeservice.fortanix.com. Click Save.

11. On the Expose an API page, select Add a scope in the Scopes defined by this API section. In the Add a scope form:

    1. Define the Scope name as user_impersonation.

    2. Select the administrators and users who can consent.

    3. Define any remaining values required.

    4. Click Add scope to save your changes.

       

12. On the Expose an API page, in the Authorized client applications section, select Add a client application. In the new client application:

    1. Define the Client ID as d3590ed6-52b3-4102-aeff-aad2292ab01c(use this exact value). This value is the Microsoft Office client ID, which enables Office to obtain an access token against the DKE Service.

    2. Under Authorized scopes, select the user_impersonation scope.

    3. Click Add application to save your changes.

       

    4. Repeat the above steps for another Client ID as c00e9d32-3c8d-4a7d-832b-029040e7db99(use this exact value). This value is the client ID for the Microsoft Azure Information Protection Client.

Your DKE service is now registered. Continue by testing connectivity and creating sensitivity labels using DKE.

7.3.1 Test Connectivity between DKE and Fortanix DSM

Run the following curl command to check DKE connectivity with Fortanix DSM:

curl -v https://<dkeserviceurl>/<RSAKeyName>>

It should return a 200 response code with the RSA public key.

7.3.2 Create Sensitivity Labels using DKE

Perform the following steps in the Microsoft 365 compliance center:

1. Create a new sensitivity label and apply encryption as you would otherwise.

2. Select Use Double Key Encryption and enter the endpoint URL for your key.

   For example: https://dkeservice.mycompanydomain.com/MicrosoftDKEServiceKey.
   Where, MicrosoftDKEServiceKey is the name of the Fortanix DSM key as created in Section 6.7: Creating a Security Object.

   

3. Publish the label using the label policy.

Any DKE labels that you add will start appearing for users in the latest versions of Microsoft 365 Apps for the enterprise.

Now you can apply these labels to the Microsoft Documents. After these labels are applied, the document is kept encrypted using Fortanix DSM Keys.

NOTE:

• You can create multiple labels with different DSM keys. However, DSM keys need to exist in the same app.

• The DKE key can be rotated without impact on existing labeled documents.

• You can define a quorum policy on the DKE group to restrict any modifications to the DKE key.

8.0 References

1. Double Key Encryption for Microsoft 365: https://docs.microsoft.com/en-us/microsoft-365/compliance/double-key-encryption

2. Double Key Encryption Troubleshooting Guide by Microsoft: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/dke-troubleshooting/ba-p/2234252

3. Fortanix DSM Getting Started: https://support.fortanix.com/hc/en-us/articles/360015809372-Getting-Started-with-DSM