Utimaco DKE Anchor service helps customer to protect their sensitive information in Microsoft 365. This service delivers public keys and decrypts data using the HSM. It can be deployed either on-premises or in the Cloud (Windows or Linux platform).
The DKE Anchor service is a web server with a public URL, providing services to get the public key and to decrypt data, which it needs to talk to Azure to verify the authentication token and to get some user information. This service also uses PKCS#11 to interact with the HSM. The AIP client gets the sensitivity labels from Azure, presents them to Microsoft 365 applications, and talks to the DKE Anchor service to get the public key and decrypt data. In Azure, the DKE Anchor service is registered, sensitivity labels are defined, and bound to a DKE Anchor service key URL.