Encryption in Office 365
Encryption is an important part of your file protection and information protection strategies. Read this article to get an overview of encryption used for all versions of Office 365, and get help with encryption tasks, from setting up encryption for your organization to password-protecting Office documents.
If you're looking for information about certificates and technologies like TLS, see Technical reference details about encryption in Office 365.
If you are looking for information about how to configure or set up encryption for your organization, see Set up encryption in Office 365 Enterprise.
What is encryption, and how does it work in Office 365?
At a high level, encryption is the process of encoding your data (referred to as plaintext) into ciphertext that cannot be used by people or computers unless and until the ciphertext is decrypted. Decryption requires an encryption key that only authorized users have. Encryption helps ensure that only authorized recipients can decrypt your content, such as email messages and files.
Encryption by itself does not prevent content, such as files, email messages, calendar entries, and so on, from getting into the wrong hands. Encryption is part of a larger information protection strategy for your organization. By using encryption, you can help ensure that only those who should be able to use encrypted data are able to.
You can have multiple layers of encryption in place at the same time. For example, you can encrypt email messages and also the communication channels through which your email flows. With Office 365, your data is encrypted at rest and in transit, using several strong encryption protocols, and technologies that include Transport Layer Security/Secure Sockets Layer (TLS/SSL), Internet Protocol Security (IPSec), and Advanced Encryption Standard (AES).
Encryption for data at rest and data in transit
Examples of data at rest include files that have been uploaded to a SharePoint library, Project Online data, documents that have been uploaded in a Skype for Business meeting, email messages and attachments that are stored in folders in your Office 365 mailbox, and files uploaded to OneDrive for Business.
Examples of data in transit include mail messages that are in the process of being delivered, or conversations that are taking place in an online meeting. In Office 365, data is in transit whenever a user's device is communicating with an Office 365 server, or when an Office 365 server is communicating with another server.
With Office 365, you can have multiple layers and kinds of encryption working together to secure your data. The following table includes some examples, with links to additional information.
|Kinds of Content||Encryption Technologies||Resources to learn more|
|Files on a device. This can include email messages saved in a folder, Office documents saved on a computer, tablet, or phone, or data saved to the Microsoft cloud.
||BitLocker in Microsoft datacenters. BitLocker can also be used on client machines, such as Windows computers and tablets
Distributed Key Manager (DKM) in Microsoft datacenters
Customer Key for Office 365
|Windows IT Center: BitLocker
Microsoft Trust Center: Encryption
Cloud security controls series: Encrypting Data at Rest
How Exchange Online secures your email secrets
Controlling your data in Office 365 using Customer Key
|Files in transit between users. This can include Office documents or SharePoint list items shared between users.
||TLS for files in transit
||Data Encryption in OneDrive for Business and SharePoint Online
Skype for Business Online: Security and Archiving
|Email in transit between recipients. This includes email hosted by Exchange Online.
||Office 365 Message Encryption with Azure Rights Management, S/MIME, and TLS for email in transit
||Office 365 Message Encryption (OME)
Email encryption in Office 365
How Exchange Online uses TLS to secure email connections in Office 365
What if I need more control over encryption to meet security and compliance requirements?
In addition to Microsoft-managed solutions of volume encryption, file encryption, and mailbox encryption in Office 365, customer-managed options can be used to meet more stringent security and compliance requirements. Such solutions use Azure Rights Management (Azure RMS) together with Office 365.
See the following resources to learn more:
How do I...
|To do this task||See these resources|
|Set up encryption for my organization
||Set up encryption in Office 365 Enterprise
|View details about certificates, technologies, and TLS cipher suites in Office 365
||Technical details about encryption in Office 365
|Work with encrypted messages on a mobile device
||View encrypted messages on your Android device
View encrypted messages on your iPhone or iPad
|Encrypt a document using password protection
Currently, password protection is not supported in Office in a browser. Use desktop versions of Word, Excel, and PowerPoint for password protection.
|Add or remove protection in your document, workbook, or presentation (Choose an Add protection section, and then see Encrypt with Password )
|Remove encryption from a document
||Add or remove protection in your document, workbook, or presentation (Choose a Remove protection section, and then see Remove password encryption )