Customer Key for Office 365 FAQ

In addition to the baseline, volume-level encryption that’s enabled through BitLocker and Distributed Key Manager (DKM), Office 365 offers an added layer of encryption at the application level for customer content in Office 365, including data from Exchange Online, Skype for Business, SharePoint Online, and OneDrive for Business. This is called service encryption.

Customer Key is built on service encryption and enables you to provide and control keys that are used to encrypt your data at rest in Office 365 as described in the Online Services Terms (OST). Customer Key helps you meet compliance obligations because you control the encryption keys that Office 365 uses to decrypt data.

What Office 365 data at rest is covered by Customer Key?

SharePoint Online site content and the files stored within that site and files uploaded to OneDrive for Business are covered. Exchange Online mailbox content (e-mail body, calendar entries, and content of email attachments) is covered. Text conversations from Skype for Business are covered, but Skype Meeting Broadcast recordings and Skype Meeting content uploads are not covered. Skype Meeting Broadcast and Skype Meeting content uploads are encrypted along with all other content in Office 365, but we currently don’t offer customer control of the encryption keys.

What is the difference between Customer Key and Bring Your Own Key (BYOK) with Azure Information Protection for Exchange Online?

Both options enable you to provide and control your own encryption keys; however, service encryption with Customer Key encrypts your data at rest, residing in Office 365 servers at-rest, while BYOK with Azure Information Protection for Exchange Online encrypts your data in-transit and provides persistent online and offline protection for email messages and attachments for Office 365. Customer Key and BYOK with Azure Information Protection for Exchange Online are complementary, and whether you choose to use Microsoft’s service-managed keys or your own keys, encrypting your data at-rest and in-transit can provide added protection from malicious attacks.

BYOK with Azure Information Protection for Exchange Online is offered in the Office 365 Message Encryption capabilities.

Does service encryption with Customer Key change Microsoft’s approach to third-party data requests such as subpoenas?

No. Customer Key was not designed to respond to law enforcement subpoenas. It was designed for regulated customers to meet their internal or external compliance obligations. Microsoft takes third-party requests for customer data very seriously. As a cloud service provider, we always advocate for privacy of customer data. In the event we get a subpoena, we always attempt to redirect the third party to the customer to obtain the information. (Please read Brad Smith’s blog: Protecting customer data from government snooping). We periodically publish detailed information of the request we receive here.

See the Microsoft Trust Center regarding third-party data requests and “Disclosure of Customer Data” in the Online Services Terms (OST) for more information.

If my keys are destroyed, how can I recover?

Microsoft provides added protections from key loss. The recovery key provides you with the capability to recover from the unanticipated loss of root keys that you manage. Microsoft will either assist you through this process or provide you with instructions on how to recover without assistance from Microsoft.

What is the recovery key?

The recovery key is a root key that is provisioned and protected by Microsoft and is functionally equivalent to the root keys that are supplied by you for use with service encryption with Customer Key. Because the recovery key is protected by Microsoft, it uses a different security design and controls from keys that you manage. This provides defense-in-depth and protects against the loss of all keys from a single attack or point of failure. Sharing the responsibility to protect the keys, while using a variety of protections and processes for key management, ultimately reduces the risk that all keys will be lost or destroyed. 

How many data encryption policies (DEPs) can I create?

Exchange Online and Skype for Business: You can create up to 50 DEPs.

SharePoint Online and OneDrive for Business: A DEP applies to data in one geographic location, also called a geo. If you use the multi-geo feature of Office 365 (currently in Preview), you can create one DEP per geo. If you are not using multi-geo, you can create one DEP.

How do I verify that encryption with Customer Key is activated and Office 365 has finished encrypting with Customer Key?

Exchange Online and Skype for Business: You can connect to Exchange Online using remote PowerShell and then use the Get-MailboxStatistics cmdlet for each mailbox you want to check. In the output from the Get-MailboxStatistics cmdlet, the IsEncrypted property returns a value of true if the mailbox is encrypted and a value of false if it’s not. If the mailbox is encrypted, the value returned for the DataEncryptionPolicyID property is the GUID of the DEP with which the mailbox is encrypted. For more information on running this cmdlet, see Get-MailboxStatistics and using PowerShell with Exchange Online.

SharePoint Online and OneDrive for Business: You can connect to SharePoint Online PowerShell, and then use the Get-SPODataEncryptionPolicy cmdlet to check the status of your tenant. The State property returns a value of registered if Customer Key encryption is enabled and all files in all sites have been encrypted. If encryption is still in progress, this cmdlet provides information on what percentage of sites is complete.

If I want to switch to a different set of keys, how long does it take for the new set of keys to protect my data?

Exchange Online and Skype for Business: It can take up to 72 hours to protect a mailbox according to a new Data Encryption Policy (DEP) from the time the new DEP is assigned to the mailbox.

SharePoint Online and OneDrive for Business: It can take up to four hours to re-encrypt your entire tenant once a new key has been assigned.

Is my existing data stored without encryption at any time while it is decrypted or encrypted with Customer Key?

No. Your data is always encrypted at rest in the Office 365 service with BitLocker and DKM. For more information, see the “Security, Privacy, and Compliance Information for Office 365”, and How Exchange Online secures your email secrets.

If I no longer want to use customer-managed encryption keys, can I switch to Microsoft-managed keys?

Exchange Online and Skype for Business: Not yet. This will be supported once service encryption in Office 365 with Microsoft-managed keys is rolled out broadly. We expect to roll this out in the service after we release service encryption with Customer Key.

SharePoint Online and OneDrive for Business: Yes. You can choose to revert to using Microsoft-managed keys separately for each geo (if you use the multi-geo feature) or for all your data if it is in a single geo.

If I lose my keys, how long does it take to recover service availability using the recovery key?

Exchange Online and Skype for Business: Once you call in to use the recovery key mailboxes will be accessible within minutes.

SharePoint Online and OneDrive for Business: This operation is proportional to the number of sites you have. Once you call Microsoft to use the recovery key, you will be fully online within about four hours.

How is the recovery key used with Exchange Online?

Office 365 uses the recovery key both for service availability and recovery from an unhealthy Customer Key state for Exchange Online. There is a hierarchy of keys used by Customer Key. This hierarchy is illustrated in the following figure.

This graphic shows the hierarchy of keys used in Customer Key for Exchange Online

If both Azure Key Vault keys of a single Data Encryption Policy (DEP) are unavailable, Office 365 can use the recovery key to transition to a new DEP. Office 365 determines whether to use the recovery key for service availability differently depending on whether a user-initiated activity, for example, when a user downloads email to the Outlook client, or a system-initiated activity, such as indexing mailbox contents, or for eDiscovery searches, triggered the process.

Office 365 follows this process in response to user-initiated actions to determine whether to use the recovery key for user mailboxes:

  1. Office 365 reads the DEP to which the mailbox is assigned in order to determine the location of the two customer keys in Azure Key Vault.

  2. Office 365 randomly chooses one of the two customer keys from the DEP and sends a request to Azure Key Vault to unwrap the DEP key using the customer key.

  3. If the request to unwrap the DEP key using the customer key fails and returns an error, Office 365 sends a second request to Azure Key Vault, this time instructing it to use the alternate (second) customer key.

  4. If the second request to unwrap the DEP key using the customer key fails and returns an error, Office 365 examines the results of both requests:

    • If the examination determines that the errors DO NOT reflect an explicit action by a customer identity, then Office 365 uses the recovery key to decrypt the DEP key. The DEP key is then used to decrypt the mailbox key and complete the user request.

      In this case, Azure Key Vault is either unable to respond or unreachable for whatever reason. Office 365 has no way of determining if the customer has intentionally revoked access to the keys.

    • If the examination indicates that deliberate action has been taken to render the customer keys unavailable, then the recovery key will not be used, the user request fails, and the user receives an error message, such as login failure.

      When this happens, the customer is made aware that service is impacted, and the condition of Customer Key is unhealthy. For example, if a customer is using a single DEP for all mailboxes in the organization, the customer may experience a widespread failure where users can’t access their mailboxes. This ensures that when both customer keys are unhealthy, the customer is made aware of the need to correct the situation and restore the service to a healthy state.

Recovery key is available for actions initiated by, or internal to, Office 365, such as search index creation or moving mailboxes until the recovery key is deleted. This prevents unintentional data loss, which can occur if the recovery key is not used under these circumstances.

How is the recovery key used with SharePoint Online and OneDrive for Business?

The SharePoint Online and OneDrive for Business architecture and implementation for Customer Key and recovery key is different from Exchange Online and Skype for Business.

When a customer onboards to customer-managed keys, Office 365 creates a tenant-specific intermediate key (TIK). Office 365 encrypts the TIK twice, once with each of the customer keys, and stores the two encrypted versions of the TIK. Only the encrypted versions of the TIK are stored, and a TIK can only be decrypted with the customer keys. The TIK is then used to encrypt site keys, which are then used to encrypt blob keys. The blobs themselves are encrypted and stored in the Microsoft Azure Blob storage service.

Office 365 follows this process to access a blob that has customer file data:

  1. Decrypt the TIK using the Customer Key.

  2. Use the decrypted TIK to decrypt a site key.

  3. Use the decrypted site key to decrypt a blob key.

  4. Use the decrypted blob key to decrypt the blob.

When decrypting a TIK, Office 365 issues two decryption requests to Azure Key Vault with a slight offset. The first one to finish furnishes the result, cancelling the other request.

In case the customer loses access to their customer keys, Office 365 also encrypts the TIK with a recovery key and stores this along with the TIKs encrypted with each customer key. The TIK encrypted with the recovery key is used only when the customer calls Microsoft to enlist the recovery path when they have lost access to their keys, maliciously or accidentally.

For availability and scale reasons, decrypted TIKs are cached in a time-limited memory cache. Two hours before a TIK cache is set to expire, Office 365 attempts to decrypt each TIK. Decrypting the TIKs extends the lifetime of the cache. If TIK decryption fails for a significant amount of time, Office 365 generates an alert to notify engineering prior to the cache expiration. Only if the customer calls Microsoft will Office 365 initiate the recovery operation, which involves decrypting the TIK with the recovery key stored in Microsoft's secret store and onboarding the tenant again using the decrypted TIK and a new set of customer-supplied Azure Key Vault keys.

As of today, Customer Key is involved in the encryption and decryption chain of SharePoint Online file data stored in the Azure blob store, but not SharePoint Online list items or metadata stored in the SQL database. Office 365 does not use the recovery key for SharePoint Online or OneDrive for Business other than the case described above, which is customer initiated. As described above, human access to customer data is protected by Customer Lockbox.

For more information

To get started with Customer Key, see Controlling your data in Office 365 using Customer Key.

Connect with an expert
Contact us
Expand your skills
Explore training

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×