The Virtru Trusted Data Platform infrastructure enables Virtru and third-party developers to embed end-to-end encryption, granular access controls, and key management capabilities into applications and workflows to prevent unauthorized access and ensure data privacy.
Virtru's products are built on the Trusted Format (TDF), an open specification used by thousands of organizations, including the U.S. Intelligence Community, to enable secure sharing with platform-agnostic encryption for any type of data, across any cloud environment or device, using persistent access controls that ensure data privacy.
Virtru integrates directly with the applications your teams already use every day, including Google Workspace (Gmail, Google Drive, and other productivity apps) and Microsoft 365. As a result, everyday users can easily encrypt sensitive data with a single click, without ever leaving their daily workflow. Virtru also supports encryption workflows for Salesforce, Zendesk, Workday, and dozens of other SaaS apps.
Click on the individual components for more detail.
Data-centric protection for email and files created at the endpoint, embedded in prominent productivity tools:
Virtru for Microsoft Outlook – Virtru’s email protection solution for messages and attachments as an add-on for the Outlook desktop application. Learn More →
Virtru for Gmail – Virtru’s email protection solution for messages and attachments sent from Gmail. Embedded in the native Gmail interface via a browser extension for seamless protection. Learn More →
Virtru for Google Drive – Virtru’s file protection solution for files stored in and shared via Google Drive. Seamlessly integrated into end users existing workflow via a browser extension. Learn More →
Customer-hosted, “hold-your-own” key management option that lets organizations host and manage encryption keys and supports integrations with hardware security modules (HSMs) for the highest levels of confidentiality and control. Learn More →
Server-level appliance that automatically applies Virtru’s data-centric protection and access controls to email and files shared by unprotected endpoints and applications (e.g. custom’ internal applications or enterprise SaaS applications) and allows integration with security scanning tools and other mail flow complexities. Learn More →
Toolkits that give developers access to the Virtru Platform so that they can independently embed data-centric protections and control features into their applications and workflows. Currently available for Client-side JavaScript, Node.js, C++, and Python. Learn More →
Centralized administration panel that offers visibility of all protected data, access, and sharing activity, along with users and groups management, email content rule configuration for Data Loss Prevention, and other organization settings.
Support for export and integration of Virtru event logs, including all protection, access, control, and administrative activity, with SIEM tools and SOC operations for behavior monitoring, incident detection and remediation, forensic analysis, and compliance management.
Secure web-based browser application that enables seamless access to protected messages and files for external recipients and collaborators. Learn More →
Core component of Virtru’s SaaS-based key management infrastructure that lets organizations set, enforce, and manage policies to protect and control access to their data. The Virtru ACM hosts encryption keys, manages associated policies and entity attributes, and brokers authentication and authorization workflows using federated identities to mediate access to encryption keys and protected content.
Open standard for object-level encryption that binds encrypted data to policies and metadata to ensure only authorized users can access protected data. Learn More →
The OpenTDF project is an open source reference implementation of the Trusted Data Format (TDF) specification that enables developers to protect data flowing in and out of their applications. Learn More →
Check out our SDKs and discover the many ways Virtru data protection can be applied.
Virtru employs a split knowledge architecture that stores encrypted content separately from the encryption keys protecting it, supporting a Zero Trust framework, where all system components are continuously authenticated, verified, and authorized.
Only authorized entities can access unencrypted content. Virtru can never access unencrypted content or decrypt user content outside of customer-controlled Virtru clients: when we have the keys, we cannot access the content, and when we have the encrypted content, we can’t access the keys to decrypt and access it.
The Virtru system consists of four components: Virtru client libraries that sit on the content creator’s device (typically a browser extension or plug-in), the Virtru Access Control Management (ACM) Server that provides key management and mediates policies, object stores that hold encrypted content, and receiving clients.
When a user enables Virtru protection, all encryption activities occur on Virtru-enabled clients using client-generated AES-256 bit symmetric encryption keys. Separate object encryption keys, called Access Control Keys, are generated to encrypt each individual email or file. When encrypted content is sent or uploaded, the creating Virtru client uploads Access Control Keys and policies to the Virtru ACM via a Transport Layer Security (TLS) connection.
The Virtru ACM Server is a SaaS service that mediates access to protected content. The ACM distributes encryption keys to authorized parties, enforces access control policies, and communicates with federated identity services to authenticate users. The ACM also surfaces management interfaces to end users and administrators.
Object stores, such as Google Drive and Amazon Web Services (AWS), or email servers, such as Google and Microsoft Exchange, store encrypted content. The Virtru Zero Trust Architecture ensures separation of keys and content at all times. In instances when Virtru has the keys, it cannot access the content. In instances when Virtru services have the content, Virtru does not have access to the keys. Virtru services do not have the ability to decrypt content by separating either the encryption keys or the encrypted content.
Virtru allows authorized parties to receive and decrypt protected content without installing Virtru’s software. To access protected content, recipients must authenticate with the Virtru ACM. To do this, they use their existing email credentials, rather than having to establish new usernames or passwords. The ACM supports Federated Authentication via OAuth, SAML, and OpenID. The ACM grants Access Control Keys to authorized parties once they have authenticated. These keys are then used to decrypt content on the recipient’s device.
When using Virtru to protect files hosted in cloud service object stores, such as Google Drive, the content creator’s client encrypts files using a browser extension or other Virtru-enabled clients. Virtru clients generate separate AES-256 bit Access Control Keys to encrypt each file. Access control policies may also be applied at this time, either manually via the user or automatically via Data Loss Prevention (DLP) rules that are preconfigured by administrators. Examples of access control policies include: authorizing a party’s access, setting expiration for this access, and enhancing content protection via PDF watermarking or download disablement.
Once the content is encrypted, it is uploaded via TLS to the cloud service object store. An object level Access Control Key and Access Control policy are also uploaded to the Virtru ACM Server at this time, again via TLS.
The content and Access Control Key remain in separately-controlled systems until a content consumer requests access to the encrypted file. The Virtru Zero Trust Architecture ensures that Virtru services never have access to the cloud object store. After authenticating, the content consumer receives access to the decryption key required to view the unencrypted content on any device.
When using Virtru to secure emails, all messages and attachments are encrypted with AES 256-bit Access Control Keys on the content creator’s client via a browser extension, Microsoft Outlook plug-in, mobile app, or other Virtru-enabled client. Access control policies may also be applied at this time, either manually via the user or automatically via Data Loss Prevention (DLP) rules that are preconfigured by administrators. Examples of access control policies include: authorizing a party’s access, setting expiration for this access, and enhancing content protection via PDF watermarking or download disablement.
Once email bodies are encrypted, they are sent via TLS to the email server that will eventually deliver this content to authorized recipients. Cloud providers, such as Google and Microsoft, cannot access unencrypted content or decrypt content on their servers because they do not have access to the keys stored in the Virtru ACM. To allow recipients to read emails without installing Virtru’s software, Virtru utilizes an external object store, such as Amazon S3, to surface encrypted emails.
The sending Virtru client creates a copy of the encrypted email and any file attachments, re-encrypts them with a separate key, known as a Split Knowledge Key, and sends the re-encrypted content to the designated object store. The Split Knowledge Key is stored inside the email, which is eventually delivered to the sender’s specified recipients. Virtru services do not have access to the sender’s or the recipient’s email servers, ensuring that encrypted content stored in the external object store cannot be decrypted outside of a Virtru client.
For each object, such as the individual email bodies and attachments, an individual Access Control Key is created and sent to the Virtru ACM. The content and key remain separate until a content consumer requests access to the encrypted email content. After authenticating, the content consumer receives access to both the Access Control Key (from the ACM) and the Split Knowledge Key (from the receiving email server). The Split Knowledge Key decrypts the Access Control Key, which decrypts the original email content.
Contact us to learn more about our partnership opportunities.