The Virtru Zero Trust Architecture uses a split-knowledge approach to content protection. Content and encryption keys are stored separately, so that only authorized parties can access unencrypted content. This architecture ensures that Virtru can never access unencrypted content or decrypt user content outside of customer-controlled Virtru clients. Only recipients authorized by the content creator can access and decrypt protected content.
The Virtru system consists of four components: Virtru client libraries that sit on the content creator’s device (typically a browser extension or plug-in), the Virtru Access Control Management (ACM) Server that provides key management and mediates policies, object stores that hold encrypted content, and receiving clients.
When a user enables Virtru protection, all encryption activities occur on Virtru-enabled clients using client-generated AES-256 bit symmetric encryption keys. Separate object encryption keys, called Access Control Keys, are generated to encrypt each individual email or file. When encrypted content is sent or uploaded, the creating Virtru client uploads Access Control Keys and policies to the Virtru ACM via a Transport Layer Security (TLS) connection.
The Virtru ACM Server is a SaaS service that mediates access to protected content. The ACM distributes encryption keys to authorized parties, enforces access control policies, and communicates with federated identity services to authenticate users. The ACM also surfaces management interfaces to end users and administrators.