Double Key Encryption (DKE) uses two keys together to access protected content. Microsoft stores one key in Microsoft Azure, and the user holds the other key. The user maintains full control of one of their keys using the Double Key Encryption service. The user applies protection using the Azure Information Protection unified labeling client to their highly sensitive content.
Double Key Encryption supports both cloud and on-premises deployments. These deployments help to ensure that encrypted data remains opaque wherever the user stores the protected data.