<img src="https://ad.doubleclick.net/ddm/activity/src=11631230;type=pagevw0;cat=pw_allpg;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755};ord=1;num=1?" width="1" height="1" alt="">

Encryption Key Management

Virtru offers several key management solutions and approaches to ensure you maintain control, confidentiality, and compliance wherever your data goes – including the ability to host your own keys to meet data sovereignty and residency needs.

Zero Trust Key Management, Tailored for Enterprise Privacy and Compliance

Organizations want control of their data, including the encryption keys guarding that data. However, most cloud-managed, bring your own key (BYOK) approaches cannot deliver on Zero Trust, as they require you to trust a third-party vendor with access to your keys and plain text content.

Virtru is different. We ensure you maintain exclusive access to secure your data by removing third-party trust concerns. We use a distributed architecture and unique symmetric keys for every email and file, offering heightened security at scale.

Our Virtru Customer Key Server (CKS) solution adds an additional layer of protection that lets you directly host your encryption keys. We also integrate with hardware security modules (HSMs) for the highest levels of confidentiality and control. And we are a key management partner for Google Workspace Client-side encryption and external key manager for Google Cloud. Virtru positions your organization to meet or exceed the most stringent compliance requirements, including CJIS, ITAR, and EAR.


Trusted Key Management for Maximum Privacy

Protect your data across cloud environments, ecosystems, and workflows so it stays secure no matter where it lives, where it travels, or who it’s shared with.


True Privacy

Virtru cannot access your protected data at any time, whether you choose to host your own keys or use our hosted key management option.


Complete Control

Distributed architecture with dual layers of protection gives you total control over who can access the keys securing your most sensitive data.


Adaptability and Scale

We leverage Docker containers and your existing key management infrastructure to support enterprise-scale deployments with low maintenance.

Flexible, Layered Encryption Key Options

Select one of our encryption key management options, based on your security and data protection requirements and
aligned with your existing key management processes.


Fully Hosted

You can be up and running in minutes with our fully hosted key management option. Virtru Access Control Manager (ACM) provides a front-end layer that authenticates requests for keys and ensures sensitive content is only accessed by authorized parties. Virtru ACM is hosted in AWS to ensure maximum performance and availability.

A unique AES 256-bit symmetric data key is created on the client to protect each email and file, then delivered via a secure TLS-protected channel to Virtru ACM. The Amazon Key Management Service (KMS) protects the symmetric data keys with an additional layer of symmetric encryption that is protected by a set of AWS-managed HSMs.



Customer Managed

Choose this option to have ultimate control over who can access your data to meet requirements for CJIS, ITAR, data sovereignty, and more. Prevent third parties from accessing your data with the Virtru Customer Key Server (CKS) which allows you to host your own encryption keys. Our CKS uses asymmetric encryption on top of Virtru’s native end-to-end encryption while aligning with your existing infrastructure for enterprise scale implementations.

When you encrypt an email, a message key is generated, which is then encrypted with a public key. The Virtru Access Control Manager (ACM) manages and authenticates key exchanges but cannot access your data at any time. The CKS then hosts a private key that is needed to decrypt the public key and unwrap the message key. This CKS private key never leaves your environment which meets the data protection and compliance you want. You can host your private key on your premises, in your private cloud, or on any public cloud service.

Learn more: Virtru Customer Key Server



HSM Integration

Use your existing Hardware Security Module (HSM) infrastructure and key management processes. In this deployment option, your private encryption keys are stored in your HSM and the Virtru Customer Key Server (CKS) only brokers encryption and decryption requests with the Virtru platform.

This method leverages PKCS (Public Key Cryptographic Standard) #11 and KMIP protocols, allowing integration with a variety of HSM manufacturers.

Supported HSM Integrations:

Atos SafeNet Thales


Google Workspace

Virtru is a recommended Google Workspace Client-side encryption (CSE) partner to prevent unauthorized or third-party (including Google) access to your data. Our encryption key management supports heightened privacy in Docs, Sheets, Slides, and the Google Drive File Stream desktop app, as well as encrypted calls (media stream) and video messages in Google Meet.

Once your browser client encrypts the content with Google Client-side encryption, those keys are then wrapped with an additional key that’s provided by Virtru. These Key Encryption Keys (KEKs) and their associated access control policies are managed by Virtru to determine who can and cannot access your data. This keeps your cloud data private, even from Google, since they won’t have the keys to decrypt your data. Virtru cannot access your protected data at any time.


Google Cloud

Apply your own encryption keys to Google Cloud Platform (GCP) services (including BigQuery and Compute Engine) to encrypt your data in the cloud and ensure true privacy with no unauthorized or third-party access, including by Google and Virtru. Safeguard data lakes, databases, and information that flows through Google’s cloud computing and AI capabilities to ensure protection for Google users and system data wherever it travels — across infrastructures, cloud networks, and ecosystems.

Whether you’re using BigQuery or managing your own customers’ data in Google Cloud, Virtru helps you protect data as an external key manager (EKM) provider.

“…the most important aspect of encryption is good key management, including customer control of the keys.”

Staying Secured in the Cloud is a Shared Responsibility. Steve Riley, April 2016


More than 7,000 organizations trust Virtru for data security and privacy protection.


Encryption Key Management Resources

Get expert insights on how to address your data protection challenges.

Schedule a demo with Virtru today.