Virtru Architecture Overview
Toggle the buttons below to see how the Virtru architecture protects different types of data.
The Virtru Zero Trust Architecture uses a split-knowledge approach to content protection. Content and encryption keys are stored separately, so that only authorized parties can access unencrypted content. This architecture ensures that Virtru can never access unencrypted content or decrypt user content outside of customer-controlled Virtru clients. Only recipients authorized by the content creator can access and decrypt protected content.
The Virtru system consists of four components: Virtru client libraries that sit on the content creator’s device (typically a browser extension or plug-in), the Virtru Access Control Management (ACM) Server that provides key management and mediates policies, object stores that hold encrypted content, and receiving clients.
When a user enables Virtru protection, all encryption activities occur on Virtru-enabled clients using client-generated AES-256 bit symmetric encryption keys. Separate object encryption keys, called Access Control Keys, are generated to encrypt each individual email or file. When encrypted content is sent or uploaded, the creating Virtru client uploads Access Control Keys and policies to the Virtru ACM via a Transport Layer Security (TLS) connection.
The Virtru ACM Server is a SaaS service that mediates access to protected content. The ACM distributes encryption keys to authorized parties, enforces access control policies, and communicates with federated identity services to authenticate users. The ACM also surfaces management interfaces to end users and administrators.
Object stores, such as Google Drive and Amazon Web Services (AWS), or email servers, such as Google and Microsoft Exchange, store encrypted content. The Virtru Zero Trust Architecture ensures separation of keys and content at all times. In instances when Virtru has the keys, it cannot access the content. In instances when Virtru services have the content, Virtru does not have access to the keys. Virtru services do not have the ability to decrypt content by separating either the encryption keys or the encrypted content.
Virtru allows authorized parties to receive and decrypt protected content without installing Virtru’s software. To access protected content, recipients must authenticate with the Virtru ACM. To do this, they use their existing email credentials, rather than having to establish new usernames or passwords. The ACM supports Federated Authentication via OAuth, SAML, and OpenID. The ACM grants Access Control Keys to authorized parties once they have authenticated. These keys are then used to decrypt content on the recipient’s device.
When using Virtru to protect files hosted in cloud service object stores, such as Google Drive, the content creator’s client encrypts files using a browser extension or other Virtru-enabled clients. Virtru clients generate separate AES-256 bit Access Control Keys to encrypt each file. Access control policies may also be applied at this time, either manually via the user or automatically via Data Loss Prevention (DLP) rules that are preconfigured by administrators. Examples of access control policies include: authorizing a party’s access, setting expiration for this access, and enhancing content protection via PDF watermarking or download disablement.
Once the content is encrypted, it is uploaded via TLS to the cloud service object store. An object level Access Control Key and Access Control policy are also uploaded to the Virtru ACM Server at this time, again via TLS.
The content and Access Control Key remain in separately-controlled systems until a content consumer requests access to the encrypted file. The Virtru Zero Trust Architecture ensures that Virtru services never have access to the cloud object store. After authenticating, the content consumer receives access to the decryption key required to view the unencrypted content on any device.
When using Virtru to secure emails, all messages and attachments are encrypted with AES 256-bit Access Control Keys on the content creator’s client via a browser extension, Microsoft Outlook plug-in, mobile app, or other Virtru-enabled client. Access control policies may also be applied at this time, either manually via the user or automatically via Data Loss Prevention (DLP) rules that are preconfigured by administrators. Examples of access control policies include: authorizing a party’s access, setting expiration for this access, and enhancing content protection via PDF watermarking or download disablement.
Once email bodies are encrypted, they are sent via TLS to the email server that will eventually deliver this content to authorized recipients. Cloud providers, such as Google and Microsoft, cannot access unencrypted content or decrypt content on their servers because they do not have access to the keys stored in the Virtru ACM. To allow recipients to read emails without installing Virtru’s software, Virtru utilizes an external object store, such as Amazon S3, to surface encrypted emails.
The sending Virtru client creates a copy of the encrypted email and any file attachments, re-encrypts them with a separate key, known as a Split Knowledge Key, and sends the re-encrypted content to the designated object store. The Split Knowledge Key is stored inside the email, which is eventually delivered to the sender’s specified recipients. Virtru services do not have access to the sender’s or the recipient’s email servers, ensuring that encrypted content stored in the external object store cannot be decrypted outside of a Virtru client.
For each object, such as the individual email bodies and attachments, an individual Access Control Key is created and sent to the Virtru ACM. The content and key remain separate until a content consumer requests access to the encrypted email content. After authenticating, the content consumer receives access to both the Access Control Key (from the ACM) and the Split Knowledge Key (from the receiving email server). The Split Knowledge Key decrypts the Access Control Key, which decrypts the original email content.
The Trusted Data Format (TDF) is an open source data protection standard invented by Virtru Co-Founder, Will Ackerly. Designed to protect the most sensitive data shared between U.S. intelligence agencies, the TDF is now available for anyone to use to protect the privacy of their emails and other stored data.
When combined with Virtru’s powerful key management and access control systems, the TDF provides persistent protection and granular control for emails, files, and other data types. You can learn more about the TDF on our blog.
Virtru ACM Overview
The Virtru Access Control Management (ACM) Server is the central control system for managing user access to content. The primary role of the ACM is to ensure that only authorized parties can access content protected by Virtru clients. It stores and mediates access to Access Control Keys, manages policies, and authenticates users via either federated identity services or an email verification path.
The ACM mediates several different types of policies, such as:
- Encryption key ownership
- Encryption key access
- Current access state (active or revoked)
- Access expiration
- Authorization to add others to the policy (disable forwarding)
- Content protection settings (watermarking, download disablement)
The ACM also provides administrative functions, such as the configuration of data loss prevention (DLP) policies, and serves dashboards to manage users and track content access.