banner

Thales Blog

Protecting Sensitive Data with Luna Key Broker for Microsoft Double Key Encryption

April 1, 2021

Skylar Davies Skylar Davies | Product Marketing Manager More About This Author >

Today’s remote working environment relies heavily on the collaborative sharing of information, challenging organizations to maintain the security of confidential data and regulatory compliance while driving employee productivity. For organizations in highly-regulated industries such as financial services, government and healthcare, they can now leverage Thales Luna HSMs and Luna Cloud HSMs with Double Key Encryption (DKE) for Microsoft 365 and comply with regulations such as the EU General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and the recommendations from the European Data Protection Board (EDPR) following the Schrems II ruling.

For those who are focused on maintaining compliance and protecting sensitive data across their organization, like the CISO office, security architects and auditors, one of the best practices for data security is to maintain control and own the keys used to encrypt sensitive data in all applications. This is especially true for Microsoft 365, which has become the productivity suite of choice for most enterprises and allows for online collaboration during a time when most companies have employees working remotely.

Microsoft DKE using Thales Luna HSMs makes it easy for organizations to follow security and key management best practices to meet compliance needs, while still realizing the benefits that hosting data in Microsoft Azure has to offer.

Enhanced control and security over sensitive data in Microsoft Azure with Luna HSMs

Thales has integrated its Luna HSMs with DKE for Microsoft 365, which work together to enable organizations to protect their most sensitive data while maintaining full control of their encryption keys.

The DKE solution uses two keys to protect highly-sensitive data. One key is in the customer’s control in a FIPS 140-2 Level 3 validated Luna HSM and a second key, which is stored securely in Microsoft Azure. Both keys are required to access protected data, ensuring that Microsoft and other third parties never have access to the protected data on their own.

This enhanced data protection capability enables organizations to benefit from the full power of Microsoft 365 collaboration and productivity tools while protecting sensitive data and meeting data privacy regulations and requirements.

In a recent press release announcing the solution, Thales’s VP of encryption solutions Todd Moore said, “Our collaboration with Microsoft is designed to give peace of mind to customers when it comes to security, no matter where or what Microsoft applications they’re accessing. The way we work has changed forever and in order to thrive, businesses have had to adapt and adopt collaborative applications on an increasing basis. The integration of Thales Luna HSMs with Microsoft Double Key Encryption provides assurance to businesses, regardless of the security or regulation requirements of their industry, enabling them to focus on being successful in this new world.”

Luna Key Broker for Microsoft DKE

Luna Key Broker for Microsoft DKE provides a secure foundation of trust for the double key encryption process. It gives organizations sole control over who has permission to access keys to decrypt protected data and provides them with enhanced data protection capabilities, including:

  • Key Life Cycle Management: Organizations can securely generate, store, and protect their encryption keys in a FIPS 140-2 level 3 validated Luna HSM outside of Microsoft Azure.
  • Meeting Security and Compliance: Help meet internal policy and compliance mandates including regulations such as GDPR, HIPAA and Schrems II, by ensuring master encryption keys are held in a Luna HSM separate from where sensitive data resides.
  • Flexible Deployment Options: Luna Key Broker for Microsoft DKE can be deployed either in the cloud, on-premises or in hybrid environments. The solution works with Luna Network HSMs and Luna Cloud HSMs.


Image caption: Organizations control the Customer Key in a Thales Luna HSM providing a FIPS 140-2 Level 3 validated root of trust, and ensures separation between sensitive data and encryption keys – helping to fulfill compliance and security requirements.

Thales can help organizations assess and define their DKE strategy including integration and deployment. Organizations will need a Thales Luna HSM (on-premises or Luna Cloud HSM service), and the Luna Key Broker for Microsoft DKE for this solution. To learn more, download the Luna Key Broker for Microsoft Double Key Encryption (DKE) solution brief.