Modern enterprises increasingly need to ensure true data sovereignty—maintaining full control over their most sensitive information, regardless of where it is stored or processed. IBM Unified Key Orchestrator (UKO) plays a central role in delivering that control by managing customer‑held encryption keys across hybrid and multi‑cloud environments. When combined with Microsoft Double Key Encryption (DKE), organizations gain a powerful sovereignty model where content remains unreadable to the cloud provider, even under legal compulsion.

This blog explores how UKO enables scalable, policy‑driven control over the customer‑held keys required for DKE, ensuring governance, lifecycle management, and compliance across the full encryption ecosystem.

Why UKO Is Foundational for Data Sovereignty

At its core, data sovereignty requires that:

1. You own and control the keys protecting your sensitive content.

2. The cloud provider cannot decrypt your data—technically or legally.

3. Encryption happens before data leaves your environment, so plaintext is never exposed to a provider’s infrastructure.

4. Keys remain recoverable and governed, even across multi‑cloud, regulated, or distributed architectures.

IBM Unified Key Orchestrator delivers these capabilities by offering:

• A centralized platform to manage, rotate, revoke, recover, and audit encryption keys

• A consistent operating model spanning on‑prem HSMs, cloud KMS services, and specialized keystores

• Policy‑driven governance with templates, vaults, lifecycle rules, and delegated administration

• Integration with Double Key Encryption through UKO’s DKE keystore implementation

With UKO, organizations gain sovereignty without the operational burden of custom key services or isolated key silos.

How Double Key Encryption Supports Sovereignty

Microsoft Double Key Encryption (DKE) provides a sovereignty‑aligned encryption model using two independent keys:

1. Microsoft‑controlled key stored in Azure Key Vault

2. Customer‑controlled key, hosted in an environment you control (on‑prem, cloud, or HSM)

Decryption requires both keys, but the customer‑controlled private key never leaves the customer boundary.

This ensures that:

• Data is encrypted locally before it is uploaded

• Microsoft cannot decrypt or access your data

• Even under legal orders, Microsoft cannot hand over plaintext, because it never had the key

• Sensitive content stays governed under local privacy, banking, or national‑sovereignty laws

DKE is applied via sensitivity labels in Microsoft Purview Information Protection. Office apps (Word, Excel, PowerPoint, Outlook) will only open DKE‑labeled content when both key paths succeed.

Where IBM Unified Key Orchestrator Fits

UKO treats the customer‑controlled DKE service as a managed keystore, applying the same governance that already exists across Azure, AWS, Google Cloud, IBM Cloud, or on‑prem HSMs:

UKO provides:

• Key creation using templates (naming rules, cryptographic strength, lifecycle states)

• Secure distribution of keys into the DKE service

• Rotation and versioning without re‑encrypting all documents

• Revocation and emergency lockout

• Central backup and rapid key reinstallation

• Audit logs and delegated administration using vaults

UKO also provides the DKE service implementation itself, ensuring a ready‑to‑use, compliant customer key path for Microsoft 365 applications.

Operational Benefits for Data Sovereignty

One‑click key withdrawal → Instant document lockout

Revoking or deactivating a key in the UKO‑managed DKE keystore immediately prevents access to protected documents. This gives security teams a powerful, reversible containment mechanism.

Safe and controlled key rotation

Rotation can be performed without re‑encrypting historical data. Purview labels simply point new encryptions to the new key, while old content still works with the previous one.

Rapid disaster recovery

If any DKE service instance fails, UKO re‑pushes the authoritative key copy instantly—eliminating downtime and avoiding permanent cryptographic loss.

Delegation with guardrails

Regional teams or application owners can manage daily operations, while central security teams retain governance and audit visibility.

How DKE Enables Real Data Sovereignty

When applied through UKO, DKE supports sovereignty requirements such as:

• No access by the cloud provider

Microsoft cannot decrypt the data because the customer‑held key is never shared.

• Local cryptographic control

All encryption occurs before the data leaves your environment.

• Compliance with sovereignty mandates

Useful for GDPR Schrems II, banking secrecy laws, HIPAA, GLBA, national localization statutes, and highly controlled IP environments.

• Clear operational boundaries

The customer—not Microsoft—controls lifecycle, access, revocation, and recovery.

Important considerations

• Losing the customer‑held key means irrecoverable data

• Some cloud features (web apps, previews, search) are not supported for DKE‑protected documents

• Sovereignty requires disciplined governance, which UKO automates and scales

Deploying UKO + DKE

Both UKO for Containers and UKO for z/OS support DKE integration. The installation includes:

• UKO vaults and templates

• Customer‑controlled DKE service components

• RabbitMQ, TLS/mTLS, and supporting infrastructure

• Integration with Purview and Microsoft 365 clients

Further reading

• Microsoft Learn – Double Key Encryption (DKE): Overview, workflow, deployment scenarios, and requirements. learn.microsoft.com/en-us/purview/double-key-encryption

• IBM Docs – Understanding MSDKE support in UKO: Integration model, roles, and operational guidance. ibm.com/docs/.../understanding-msdke-support

• IBM Docs – Introducing UKO: Vaults, templates, lifecycle, and multi‑cloud orchestration. ibm.com/docs/.../introducing-uko

• IBM Docs – Installing MSDKE distributed components (Containers) and Installing Crypto Connect MSDKE: step‑by‑step install with RabbitMQ & mTLS. ibm.com/docs/.../installing-msdke-distributed-components, ibm.com/docs/.../installing-crypto-connect-msdke