Skip to main content



PKWARE key management support for Microsoft Double Key Encryption (DKE) provides organizations with a simple and seamless experience for administrators. Administrators managing Microsoft’s Information Protection around double key encryption with PKWARE don’t have to worry about the aspects that come from enterprise key management; scalability, auditability, durability, security, and high availability.

Microsoft allows for customers to choose between different types of key management capabilities around their Information Protection suite; Microsoft Managed Key, Bring Your Own Key, and Double Key Encryption. Double key encryption allows organizations to utilize the seamless experiences with encrypted Office file types while also giving customers the benefit of knowing no one else outside their organization can decrypt their files, including Microsoft.

Microsoft DKE uses two keys to access protected content. Microsoft Azure stores one key and the customer holds the second key, which means customers can finally maintain full control of one their keys. Without having both keys, Microsoft cannot decrypt files encrypted with DKE.

How We Integrate

The second key that customers control is managed by a cloud or on-premises instance of the PKWARE Enterprise Manager (PEM). With that DKE controlled by the PEM, an administrator sets what users and groups should have access to the DKE key. Once the key and the users/groups associated with that key are created, the PEM will generate a URL that must be given to the Microsoft Information Protection label with DKE encryption.

When an end user authenticates with their Azure Active Directory, the unified labeling client will retrieve the  appropriate DKE keys from the PEM service. If a user tries to right-click Microsoft’s “Classify and Protect” in Explorer or select a label within an Office application, the DKE label will be available.

DKE Keys

NameA unique name given to the key

Enable Encryption

Boolean variable (yes or no) defining whether encryption with this key is enabled
Enable DecryptionBoolean variable (yes or no) defining whether decryption with this key is enabled

The URL double key encryption service path that is used by administrators for defining the location of the key service. This link can be copied at the "Copy Link" option on the right most side of the table.

Please see Microsoft documentation for creating a sensitive label with DKE enabled for where to paste this within the Microsoft Compliance Center.

Created AtThe date and time the key was created
Updated AtThe date and time the key was updated


Click the "Add" button to create a new DKE key. Note: Be sure to provide a unique name for a new DKE key.

Import & Export: Transferring DKE Keys

At some point, you may need to move keys used for DKE from one environment to another. Our manager allows you to export the existing keys from one server (server 1) to another server (server 2). Follow these steps:

  1. Start on Server 2 that does not have the DKE keys yet, go the DKE page.
  2. Click Import/Export.
  3. Click Download Public Key. Save the generated JSON file to a convenient location.
  4. On server One that has the DKE keys, go to DKE.
  5. Click Import/Export.
  6. Click Export.
  7. In the Upload Public Key to Target Server, browse to the JSON file saved in Step 3.
  8. In Select Keys to Export, all existing Communities are checked by default. You may uncheck the box next to any keys you don't want to export. Click OK.
  9. Save the generated Key Transfer file to a convenient location.
  10. Return to the Server 2.
  11. Click Import.
  12. Browse to the Key Transfer file. Click OK.
  13. After the import, you will see the imported DKE Keys in the DKE table list.


This page allows administrators to view and import security Labels from Microsoft into the PK Endpoint Manager. Once Labels are added to the Labels table shown on this page, they can be used in the MIP labels dropdown as a remediations option. In order for labels to appear in the label table they must be added from the "Import" button or added manually from the "Add" button. Make sure to configure the MIP/Applications and MIP/Config page before continuing through this section to populate labels. 

Display NameA string value that end users and administrators can see
Organization NameOrganization's name that defined the label
GUIDUnique identification string for the the label
Created AtDate and time the label was created
Updated AtDate and time the label was updated
ViewAllows the administrator to view the display name, organization name, GUID, Tenant ID, and date criteria for a single label
DeleteRemoves the label from appearing within the labels table and dropdown in the remediations page


AdministratorsSpecifically define administrators who can edit or delete the DKE Configuration. Alternatively, this can be left blank for pre-defined PK Endpoint Manager administrator permissions to be enforced for the configuration. 
Client Cache Time In Hours

How long Microsoft can use a DKE public key before they ask the PK Endpoint Manager for a new one. Default time is 24 hours.

Server Cache Time In SecondsDefault time is 60 seconds. 
Base URL

enter the URL that the environment will be called on. This must match the Application ID URI for the Azure Application registration.

Note: In the Azure App registration, /mds may not have been included on the end of the URL, but it needs to be added here. Example:

An application restart is required on all nodes in the cluster or farm when changes are made to this value.

Enable Encrypt APIIf enabled, users can encrypt files with DKE Labels

Enable Decrypt API

If enabled, users can decrypt files with DKE Labels
Enable Data Security Intelligence logging for encryptionIf enabled, PKWARE agents will report a detailed client log event for DKE encryption operations
Enable Data Security Intelligence logging for decryptionIf enabled, PKWARE agents will report a detailed client log event for DKE decryption operations
Proxy URLDirects the PK Endpoint Manager to communicate through a proxy when connecting to the internet
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.