Microsoft 365 Encryption

Microsoft 365 Encryption#

This page is built from Microsoft documentation, so take it with a grain of salt….

At Rest#

Bitlocker#

Full disk encryption (using the Full Volumne Encryption Key FVEK)
Volume Master Key (VMK) encrypts the FVEK
The VMK is bound to the Trusted Platform Module (TPM)

Two key management categories

Bitlocker Managed. Bound to the installed OS (instance), lost during re-install or formatting
Bitlocker Recovery Keys. Used for disk decryption where the OS was re-installed but other drives are still encrypted.

Service Level#

Exchange online, teams, sharepoint online & onedrive. These use additional keys exclusive to a tenant. These can be managed by Microsoft (Microsoft Managed Keys) or Customer Keys, where a root key is provided.

Microsoft Managed Keys#

This is the default option. The keys are rotated automatically and stored in private key vaults that can only be accessed by services. Employees cannot access these keys.

Customer Keys#

Managed by the customer. MS still has accss to an ‘availability key’, which can be sen as a recovery key. The customer has full control to remove this key as needed. The availability key is also used if the customer root keys cannot be reached (and there is no message to say they are disabled).

In Transit#

Microsoft manages their own Certificate Authority which issues SHA2(RSA) with length 2048.