What is the Virtru Customer Key Server (CKS)?
The Virtru CKS is a physical device or cloud server that you host entirely on your organization’s premises, in the container-storing platform of your choice. The Virtru CKS adds asymmetric encryption to Virtru’s pure SaaS offering to give your organizations complete and exclusive access to the keys encrypting your data.
When you encrypt an email under this model, your Virtru email generates a message key that is encrypted with a CKS public key. The CKS hosts the private key needed to decrypt this public key and unwrap the message key, but only you can access it, since the CKS is hosted on your organization’s premises. Virtru’s servers only store encrypted keys, so they never have access to decrypted message keys.
Receiving Virtru clients – either Virtru’s Secure Reader or an inbox that has a Virtru plugin installed – also have public/private key pairs. The CKS rewraps message keys with the receiving client’s public key before it is transmitted to Virtru’s servers and eventually to the receiving client itself. The receiving client, which sits on the recipient’s premises, contains the private key needed to unlock the rewrapped message key and finally decrypt the message.
You should consider the Virtru CKS if your organization is looking to:
- Enable easy-to-use client-side email encryption without having to trust third parties with encryption keys or unencrypted content.
- Ensure that you are the only entity that can respond to government access requests and subpoenas.
- Meet data residency requirements by specifying the locations where your encryption keys are stored.
- Comply with CJIS, ITAR, and other regulations.
In my Virtru email headers, I see a key icon and text that says “Identity Verified.” What does this mean?
This is the Customer Key Server (CKS) Indicator – a feature that enhances privacy and security around a CKS deployment. It confirms that the CKS is working to protect your messages and lets your colleagues distinguish between internal messages that are encrypted by CKS from external messages that CKS didn’t protect. The “Identity Verified” header prevents email spoofing – attackers attempting to impersonate legitimate internal users by subtly altering email addresses.
Here’s an example scenario:
An attacker is attempting to impersonate Bob by using B0b@virtru.com (mimicking Bob@virtru.com) to manipulate other internal users into sharing sensitive content. With the CKS Indicator, the attacker’s email from B0b@virtru.com would not display the “Identity Verified” CKS indicator in the header. This tips off the targeted internal users – without the CKS indicator, they know something is amiss and can contact their IT security team to remediate. Emails from the legitimate Bob@virtru.com email would have the CKS indicator in the header to assure the internal recipient that it is safe to share sensitive content.