Fortanix Data Security Manager with Double Key Encryption for Microsoft 365

1.0 Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) with Microsoft 365 Double Key Encryption (DKE). It also contains the information that a user needs to:

  • Create Encryption Key in Fortanix DSM.
  • Configure and deploy the DKE Service in Microsoft Azure/IIS.
  • Create a Sensitivity label with DKE encryption enabled in Microsoft 365 account.
  • Use Double Key Encryption labels to protect data.

2.0 Infrastructure Requirements

  • DSM service must be accessible from DKE services.
  • DKE service SSL certificate must be signed by Public CA.
  • Microsoft office 365 users must install Microsoft Unified Labelling Client in their machines.
  • Connectivity between DKE service and Microsoft o365 service must exist.

3.0 Prerequisites

  • A Fortanix DSM Account.
  • Windows Server configured with IIS Server if deploying DKE service on premises. Minimum configuration required is 4vcpu and 16gb memory.
  • Admin user access to Microsoft Compliance Centre https://compliance.microsoft.com/ for creating labels.
  • For Microsoft (MS) Office end-user: Microsoft 365 Apps for enterprise version 2009 or later installed on your Windows Desktop.
    • Make sure Microsoft Active Directory Rights Management Services Client file msipc.dll is installed at one of these locations.
      • C:\Program Files (x86)\Microsoft Office\root\Office16\MSIPC
      • C:\Program Files\Microsoft Office\root\Office16\MSIPC
    • If not present, try reinstalling MS Office.
  • Install Azure Information Protection unified labelling client on Microsoft (MS) Office end-user machines. Details can be found in-
    https://docs.microsoft.com/en-us/azure/information-protection/rms-client/install-unifiedlabelingclient-app
  • Public CA signed certificate for DKE Service.

 4.0 DKE Best Practices

  • Avoid creating multiple labels for similar data classification categories. Publish the label to only the required group of people.
  • Create a rotation policy for the keys and do not delete the old keys until all the documents are relabelled.
  • Create a group quorum policy so that no changes are made at the group level without approval.
  • Restrict exposure of the DKE service to your client machines and Azure AD.
  • While troubleshooting any DKE related issue, look for errors/clues in:
    • DKE server event viewer logs
    • Fortanix DSM backend logs
    • Azure information protection logs in the client machine

5.0 Key Management Support with DKE

  • DKE service currently supports RSA 2048 keys.
  • Key rotation supported today with Fortanix provided DKE service.
  • Once the key is rotated, don’t perform the key delete/destroy operation until documents are relabeled with the rotated key.
  • Set an expiry to the rotated key which will expire after a few days of key rotations. (1-2 weeks)
  • You can choose to create different data classification labels like Classified, Confidential, and Private with different encryption keys. All Fortanix DSM keys for labels must exist in the same group.
  • Each label in the Azure compliance center maps to a key in Fortanix DSM. You can create multiple labels and each label will have a different key from Fortanix DSM.
  • Key Created in Fortanix DSM policy must have padding policy with
    • Encryption-> OAEP Hashing Algorithm SHA256
    • Signature-> PKCS1v15, PSS Hashing Algorithm SHA256
  • Keys created in Fortanix DSM must have Encrypt, Decrypt, Wrap, Unwrap, and APPMangeable permissions. It can have EXPORT permission for future migrations.
  • Define Quorum policy on the group to restrict any unwarranted key modifications.

6.0 Configuring Fortanix Data Security Manager

6.1 Configuring Fortanix DSM on SAAS Platform

  1. Sign up at https://smartkey.io/.
  2. Log in to the Fortanix DSM UI.
  3. Click the Integrations tab in the left panel.
    Picture1.png Figure 1: Click the Integrations Tab
  4. On the Integrations page, click ADD INSTANCE on the Microsoft DKE An instance configured in Fortanix DSM maps to your Microsoft account and provides encryption to your entire Microsoft office account. The generated API key would be required while deploying the Microsoft DKE Service.
  5. Enter the Instance Name to identify the instance created. Note that the instance name must be unique or else it would display an error message, “Microsoft DKE instance with this name already exists”.
    Picture2.png Figure 2: Enter Instance Name and Save Instance
  6. Click SAVE INSTANCE. Saving the instance creates a group (nomenclature: microsoftDKE_instancename), an application (nomenclature: microsoftDKE_instancename_app) and an RSA key (nomenclature: microsoftDKE_Key_Instancename) under the group. An API key is used to authenticate the application.
  7. You can view all the instances by clicking View all on the Microsoft DKE wizard.
  8. In the detailed view of the instances:
  9. Note down the API Key. This is required while deploying the DKE Service. To copy the API Key, click COPY API KEY.
  10. To manage operations on the RSA key, click MANAGE.
  11. By default, the instance created is in an ‘Enabled’ state. To disable the instance, click the Disable toggle.
    Picture3.png Figure 3: Detailed View of an Instance

6.2 Configuring Fortanix DSM On-Premise

  1. Log in to the Fortanix DSM UI.
  2. Create an Account in Fortanix DSM if you do not have one already. See Getting Started for more information.
  3. Create a new Group, for example: “DKEGroup”, for storing the encryption keys.
    Picture4.png Figure 4: Create a Group
  4. Create an App in Fortanix DSM in the group created in Step 2 and copy the API key.
    1. In your Fortanix DSM account, go to the Applications tab, create a new App in the same group as Step 2.
      Picture5.png Figure 5: Create an App
    2. After the app is created, click COPY API KEY to copy the API key and save it in a notepad.
      Picture6.png Figure 6: Copy API Key
  5. Create an RSA Key with padding policy and Key permissions as shown below:

Padding Policy:

Picture7.png
Figure 7: Padding Policy

Required Key Permissions:

Picture8.png
Figure 8: Required Key Operations

7.0 Deploy DKE Service

A Double Key Encryption Service is required to be deployed, which exposes the external key for use by Microsoft 365 services. Microsoft provides a sample DKE Service code which works with local encryption key file https://github.com/Azure-Samples/DoubleKeyEncryptionService.

The Fortanix provided DKE Service is enhanced to add support for the Fortanix DSM Keys. This now provides encryption keys and offloads decryption operations to Fortanix DSM, instead of operating on local key files.

The DKE service can be easily installed on your on-premises IIS Server.

7.1 Deploy on IIS

  1. Download the DKE Service deployment bundle from here 
    https://s3.us-west-1.amazonaws.com/downloads.fortanix.com/dke-service/Fortanix-DSM-DKE-Service-2.0.zip
  2. Unzip this zip file into the IIS wwwroot folder. For example: C:\inetpub\wwwroot
    1. Edit the appsettings.json file and add configurations as per Section 4.3.
    2. Load your application.
  3. Install Microsoft .NET Core SDK 3.1.416 (x64) and Microsoft .NET 6.0.2 - Windows Server Hosting for AspNetCoreModuleV2 dependencies.
  4. Create IIS site using the path. Install SSL certificate on the site so that DKE can communicate with Azure AD.
    Create_an_IIS_Site.png
    Figure 9: Create an IIS Site
NOTE

Make sure that the IIS deployment is accessible over the internet to your Microsoft Office end-user and Microsoft o365 service. This is because Microsoft Apps directly access DKE Service for Key access and decryption.

7.2 Configure DKE Service

The DKE service requires a few configurations to be set up as explained in the sections below. Set the deployment configuration in the file appsettings.json as following:

7.2.1 Tenant ID

Edit the section ValidIssuers and update the value: https://sts.windows.net/<tenantid>/

where <tenantid> is the Azure Active Directory tenant ID. For example:

"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"ClientId": "[Client_id-of-web-api-eg-2ec40e65-ba09-4853-bcde-bcb60029e596]",
"TenantId": "common",
"Authority": "https://login.microsoftonline.com/common/v2.0",
"TokenValidationParameters": {
"ValidIssuers": [
"https://sts.windows.net/9c99431e-b513-44be- a7d9-e7b500002d4b/"
]
}
}

7.2.2 JWT Audience

Edit the section JwtAudience with the endpoint of the IIS server or Azure App Service endpoint. For example:

"JwtAudience" : "https://dkeservice.mycompanydomain.com"

7.2.3 DSM API Endpoint

Edit the section FortanixDSMConfig:ApiEndpoint with the endpoint of the Fortanix DSM cluster. For example:

"FortanixDSMConfig": {
"ApiEndpoint": "https://sdkms.fortanix.com"
}

7.2.4 DSM API Key

Edit the section FortanixDSMConfig:ApiKey with the authentication DSM API Key copied from Section 31 and Section 3.2. For example:

"FortanixDSMConfig": {
"ApiKey": "BJ0oijJYHYU78h6g...05KGkh84GJLK"
}

7.2.5 Authorized Email Addresses

NOTE
This is an optional configuration.

Add section AuthorizedEmailAddress with the list of specific users allowed to use Fortanix DSM Keys for decryption. If this is empty or not present, then all the users from your Azure AD tenant are allowed access. For example:

"AuthorizedEmailAddress": ["userA@xyz.com", "userB@xyz.com"]

7.2.6 Final Configuration

The following is an example of the final appsettings.json file:

{ 
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"ClientId": "[Client_id-of-web-api-eg-2ec40e65-ba09-4853-bcde-bcb60029e596]",
"TenantId": "common",
"Authority": "https://login.microsoftonline.com/common/v2.0",
"TokenValidationParameters": {
"ValidIssuers": ["https://sts.windows.net/9c99431e-b513-44be-a7d9-e7b500002d4b/"]
}
},
"Logging": {
"LogLevel": {
"Default": "Information"
},
"EventLog": {
"LogLevel": {
"Default": "Information"
}
}
},
"AllowedHosts": "*",
"JwtAuthorization": "https://login.windows.net/common/oauth2/authorize",
"JwtAudience" : "https://dkeservice.mycompanydomain.com",
"AuthorizedEmailAddress": ["userA@xyz.com", "userB@xyz.com"],
"FortanixDSMConfig": {
"ApiEndpoint": "https://sdkms.fortanix.com",
"ApiKey": "BJ0oijJY...0kh84GJLK"
}
}

7.3 Register DKE App in Azure AD

The deployed DKE Service must be registered for Microsoft 365 access. This registration allows Microsoft apps to generate authentication tokens for the DKE service.

  1. In your browser, open the Microsoft Azure portal, and go to All Services > Other > App registrations.
  2. Select New registration and enter a meaningful name.
  3. Select an account type from the options displayed (usually the value to be selected is “Single tenant”).
    Register_an_application.png
    Figure 10: Register Application
  4. At the bottom of the page, select Register to create the new App Registration.
  5. In your new App Registration, in the left pane, under Manage, select Authentication.
  6. In the Platform configurations, click Add a platform.
    Add_a_Platform.png Figure 11: Add a Platform
  7. On the Configure platforms popup, select Web.
    Configure_Web.png
    Figure 12: Configure a Web
  8. In the Configure Web form:
    1. Under Redirect URIs, enter the URI of your double key encryption service. Enter the DKE Service Endpoint URL, For example: https://dkeservice.fortanix.com
    2. Under Implicit grant and hybrid flows, select the ID tokens check box.
    3. Click Configure to save your changes.
  9. On the left pane, select Expose an API, then next to Application ID URI, and click Set.
  10. Enter the DKE Service endpoint URL, For example: https://dkeservice.fortanix.com. Click Save.
  11. In the Scopes defined by this API section, select Add a scope.
  12. On the Expose an API page, in the Scopes defined by this API section, and select Add a scope.
  13. In the Add a scope form:
    1. Define the Scope name as user_impersonation.
    2. Select the administrators and users who can consent.
    3. Define any remaining values required.
    4. Click Add scope to save your changes.
      Add_Scope.png
      Figure 13: Add scope
  14. On the Expose an API page, in the Authorized client applications section, select Add a client application. In the new client application:
    1. Define the Client ID as d3590ed6-52b3-4102-aeff-aad2292ab01c (Please use this exact value). This value is the Microsoft Office client ID which enables Office to obtain an access token against the DKE Service.
    2. Under Authorized scopes, select the user_impersonation
    3. Click Add application to save your changes.
      Add_a_client_application.png
      Figure 14: Add a client application
    4. Repeat the above steps for another Client ID as c00e9d32-3c8d-4a7d-832b-029040e7db99 (Please use this exact value). This value is the client ID for Microsoft Azure Information Protection Client.

Your DKE service is now registered. Continue by testing connectivity and creating sensitivity labels using DKE.

7.3.1 Test Connectivity between DKE and Fortanix DSM

  1. Run the curl command to check DKE connectivity with Fortanix DSM-
  2. curl -v https://<dkeserviceurl>/<RSAKeyName>
  3. It should return a 200 response code with RSA public key.

7.3.2 Create Sensitivity Labels using DKE

In the Microsoft 365 compliance center:

  1. Create a new sensitivity label and apply encryption as you would otherwise.
  2. Select Use Double Key Encryption and enter the endpoint URL for your key. For example: https://mycompanydomain.com/MicrosoftDKEServiceKey.
    Where MicrosoftDKEServiceKey is the name of the Fortanix DSM Key created in Section 3.0. MicrosoftDKE7.pngFigure 15: New sensitivity label
  3. Publish the label using label Policy.

Any DKE labels that you add will start appearing for users in the latest versions of Microsoft 365 Apps for the enterprise.

Now you can apply these labels to the Microsoft Documents. Once these labels are applied, the document is kept encrypted using Fortanix DSM Keys.

 NOTE:

  1. You can create multiple labels with different DSM keys. However, DSM keys needs to exist in same app.
  2. DKE key can be rotated without impact on existing labelled documents.
  3. You can define a quorum policy on DKEGroup to restrict any modifications to the dke key.

8.0 References

  1. Double Key Encryption for Microsoft 365:
    https://docs.microsoft.com/en-us/microsoft-365/compliance/double-key-encryption
  2. Double Key Encryption Troubleshooting Guide by Microsoft: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/dke-troubleshooting/ba-p/2234252
  3. Fortanix DSM Getting Started: https://support.fortanix.com/hc/en-us/articles/360015809372-Getting-Started-with-SDKMS

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful