Client-Side Encryption

FIPS140-3 grade security with Software-defined simplicity

How to stop data breach on Azure CosmosDB

DuoKey for Azure CosmosDB

Client-side encryption is the act of encrypting data before sending it to server. To enable client-side encryption, DuoKey generate a CMK within your application on client-side, Azure has no access to any encryption keys.

Protect your Azure CosmosDB against vulnerability ChaosDB

Keep your keys safe

With DuoKey for Azure CosmosDB, our .NET library works by keeping a master key inside the MPC node or any compatible HSM and use this to derive a unique key for each object in a CosmosDB. The software running on the client will have access to these object-specific keys, but never the master key which never leaves the KMS node (the CMK)

Use your own CMK

To access the content you must have the CMK generated using DuoKey KMS. The customer key is managed using our DuoKey KMS . Since one key is always in your control, Azure never has access to your data. When uploading an object — You provide a client-side master key to the Azure CosmosDB encryption client. The client uses the master key only to encrypt the data encryption key that it generates randomly.

Safe protection

With the recent vulnerability called "ChaosDB", the client-side encryption approach protect agains such vulnerability as the CMK is not stored or exposed in any Azure Service. The CMK is used to dervied DEK (Data Encryption Keys) which are used to decrypt content of key/values stored in CosmosDB. This is a second layer of protection as you don't store all your sensitive keys in the same cloud provide. MPC provides a layer of protection as the CMK is never re-combined or exist in in place. If you prefer, we support also a family of FIPS 140-2 Level 3 or 4 HSM.

Client-Side Encryption

Client-side encryption is the act of encrypting data before sending it to Azure CosmosDB. To enable client-side encryption, DuoKey generates a master key (CMK) that you store within your application. This allows clients to encrypt sensitive data inside their applications and never reveal the plain text data or encryption keys to the Azure Cosmos DB service

How to use DuoKey for Azure Cosmos DB Client-Side Encryption

Prepare an instance of Azure CosmosDB with a number of different objects

Generate a CMK master key stored with the DuoKey cockpit on your preferred Vault (HSM, MPC or Hashicorp Vault)

Create one DEK per property to encrypt,

Create a container with encryption policy