Virtru offers several key management solutions and approaches to ensure you maintain control, confidentiality, and compliance wherever your data goes – including the ability to host your own keys to meet data sovereignty and residency needs.
Virtru enables you to achieve complete data control, at scale, while still using the cloud-native productivity apps you love. Virtru handles the heavy lifting of policy enforcement and key exchange, so your team can focus on getting their jobs done.
Organizations want control of their data, including the encryption keys guarding that data. However, most cloud-managed, bring your own key (BYOK) approaches cannot deliver on Zero Trust, as they require you to trust a third-party vendor with access to your keys and plain text content.
Virtru is different. We ensure you maintain exclusive access to secure your data by removing third-party trust concerns. We use a distributed architecture and unique symmetric keys for every email and file, offering heightened security at scale and shielding your data from cloud providers like Microsoft and Google.
The Virtru Private Keystore adds an additional layer of protection that lets you directly host your encryption keys. We also integrate with hardware security modules (HSMs) for the highest levels of confidentiality and control. And we are a key management partner for Google Workspace Client-side encryption. Virtru positions your organization to meet or exceed the most stringent compliance requirements, including CMMC, DFARS, CJIS, ITAR, and EAR.
/webpage%20-%20enterprise%20key%20management/23-ArchitectureCharts_Overview%20copy%2014.webp)
You can be up and running in minutes with our fully hosted key management option. Virtru Access Control Manager (ACM) provides a front-end layer that authenticates requests for keys and ensures sensitive content is only accessed by authorized parties.
A unique AES 256-bit symmetric data key is created on the client to protect each email and file, then delivered via a secure TLS-protected channel to Virtru ACM.
/webpage%20-%20enterprise%20key%20management/23-ArchitectureCharts_Overview%20copy%2015.webp)
Choose this option to have ultimate control over who can access your data to meet requirements for CJIS, ITAR, data sovereignty, and more. Prevent third parties from accessing your data with the Virtru Private Keystore, which allows you to host your own encryption keys. The Virtru Private Keystore uses asymmetric encryption on top of Virtru’s native end-to-end encryption while aligning with your existing infrastructure for enterprise scale implementations.
When you encrypt an email, a message key is generated, which is then encrypted with a public key. The Virtru Access Control Manager (ACM) manages and authenticates key exchanges but cannot access your data at any time. Virtru then hosts a private key that is needed to decrypt the public key and unwrap the message key. This private key never leaves your environment which meets the data protection and compliance you want. You can host your private key on your premises, in your private cloud, or on any public cloud service.
/webpage%20-%20enterprise%20key%20management/23-ArchitectureCharts_Overview%20copy%2016.webp)
Use your existing Hardware Security Module (HSM) infrastructure and key management processes. In this deployment option, your private encryption keys are stored in your HSM and the Virtru Customer Key Server (CKS) only brokers encryption and decryption requests with the Virtru platform.
This method leverages PKCS (Public Key Cryptographic Standard) #11 and KMIP protocols, allowing integration with a variety of HSM manufacturers.
/webpage%20-%20enterprise%20key%20management/23-ArchitectureCharts_Overview%20copy%2017.webp)
Virtru is an authorized Google Workspace Client-side encryption (CSE) partner to prevent unauthorized or third-party (including Google) access to your data. Our encryption key management supports heightened privacy in Docs, Sheets, Slides, and the Google Drive File Stream desktop app, as well as encrypted calls (media stream) and video messages in Google Meet.
Virtru is the only Google CSE key manager that allows you to enforce access control using labels in Google Drive.
Once your browser client encrypts the content with Google Client-side encryption, those keys are then wrapped with an additional key that’s provided by Virtru. These Key Encryption Keys (KEKs) and their associated access control policies are managed by Virtru to determine who can and cannot access your data. This keeps your cloud data private, even from Google, since they won’t have the keys to decrypt your data. Virtru cannot access your protected data at any time.
You can be up and running in minutes with our fully hosted key management option. Virtru Access Control Manager (ACM) provides a front-end layer that authenticates requests for keys and ensures sensitive content is only accessed by authorized parties.
A unique AES 256-bit symmetric data key is created on the client to protect each email and file, then delivered via a secure TLS-protected channel to Virtru ACM.
Choose this option to have ultimate control over who can access your data to meet requirements for CJIS, ITAR, data sovereignty, and more. Prevent third parties from accessing your data with the Virtru Private Keystore, which allows you to host your own encryption keys. The Virtru Private Keystore uses asymmetric encryption on top of Virtru’s native end-to-end encryption while aligning with your existing infrastructure for enterprise scale implementations.
When you encrypt an email, a message key is generated, which is then encrypted with a public key. The Virtru Access Control Manager (ACM) manages and authenticates key exchanges but cannot access your data at any time. Virtru then hosts a private key that is needed to decrypt the public key and unwrap the message key. This private key never leaves your environment which meets the data protection and compliance you want. You can host your private key on your premises, in your private cloud, or on any public cloud service.
Use your existing Hardware Security Module (HSM) infrastructure and key management processes. In this deployment option, your private encryption keys are stored in your HSM and the Virtru Customer Key Server (CKS) only brokers encryption and decryption requests with the Virtru platform.
This method leverages PKCS (Public Key Cryptographic Standard) #11 and KMIP protocols, allowing integration with a variety of HSM manufacturers.
Virtru is an authorized Google Workspace Client-side encryption (CSE) partner to prevent unauthorized or third-party (including Google) access to your data. Our encryption key management supports heightened privacy in Docs, Sheets, Slides, and the Google Drive File Stream desktop app, as well as encrypted calls (media stream) and video messages in Google Meet.
Virtru is the only Google CSE key manager that allows you to enforce access control using labels in Google Drive.
Once your browser client encrypts the content with Google Client-side encryption, those keys are then wrapped with an additional key that’s provided by Virtru. These Key Encryption Keys (KEKs) and their associated access control policies are managed by Virtru to determine who can and cannot access your data. This keeps your cloud data private, even from Google, since they won’t have the keys to decrypt your data. Virtru cannot access your protected data at any time.
"The Virtru Private Keystore is super seamless. Everything is running smoothly. From a customer standpoint, it really makes a difference: They now feel that they're much more in control and that Google will not be able to access their data.”
Benjamin Chino
Co-Founder and CPO
Expert insights on key management and data sovereignty
