Explore Our Architecture
Click on the individual components for more detail.
Virtru Customer Key Server (CKS)
Virtru SDKs and APIs
Virtru Data Protection Platform
Audit Export API
Access Control Manager (ACM)
Trusted Data Format (TDF)
Data-centric protection for email and files created at the endpoint, embedded in prominent productivity tools:
Virtru for Google Drive – Virtru’s file protection solution for files stored in and shared via Google Drive. Seamlessly integrated into end users existing workflow via a browser extension. Learn More →
Virtru for Gmail – Virtru’s email protection solution for messages and attachments sent from Gmail. Embedded in the native Gmail interface via a browser extension for seamless protection. Learn More →
Virtru for Microsoft Outlook – Virtru’s email protection solution for messages and attachments as an add-on for the Outlook desktop application. Learn More →
Server-level appliance that automatically applies Virtru’s data-centric protection and access controls to email and files shared by unprotected endpoints and applications (e.g. custom’ internal applications or enterprise SaaS applications) and allows integration with security scanning tools and other mailflow complexities.
Centralized administration panel that offers visibility of all protected data, access, and sharing activity, along with users and groups management, email content rule configuration for Data Loss Prevention, and other organization settings.
Audit Export API
Support for export and integration of Virtru event logs, including all protection, access, control, and administrative activity, with SIEM tools and SOC operations for behavior monitoring, incident detection and remediation, forensic analysis, and compliance management.
Access Control Manager (ACM)
Core component of Virtru’s SaaS-based key management infrastructure that lets organizations set, enforce, and manage policies to protect and control access to their data. The Virtru ACM hosts encryption keys, manages associated policies and entity attributes, and brokers authentication and authorization workflows using federated identities to mediate access to encryption keys and protected content.
Split Knowledge Architecture to Support Zero Trust
Virtru employs a split knowledge architecture that stores encrypted content separately from the encryption keys protecting it, supporting a Zero Trust framework, where all system components are continuously authenticated, verified, and authorized.
Only authorized entities can access unencrypted content. Virtru can never access unencrypted content or decrypt user content outside of customer-controlled Virtru clients: when we have the keys, we cannot access the content, and when we have the encrypted content, we can’t access the keys to decrypt and access it.
Toggle the buttons below to see how the Virtru Data Protection Platform protects different types of data.
The Virtru system consists of four components: Virtru client libraries that sit on the content creator’s device (typically a browser extension or plug-in), the Virtru Access Control Management (ACM) Server that provides key management and mediates policies, object stores that hold encrypted content, and receiving clients.
When a user enables Virtru protection, all encryption activities occur on Virtru-enabled clients using client-generated AES-256 bit symmetric encryption keys. Separate object encryption keys, called Access Control Keys, are generated to encrypt each individual email or file. When encrypted content is sent or uploaded, the creating Virtru client uploads Access Control Keys and policies to the Virtru ACM via a Transport Layer Security (TLS) connection.
The Virtru ACM Server is a SaaS service that mediates access to protected content. The ACM distributes encryption keys to authorized parties, enforces access control policies, and communicates with federated identity services to authenticate users. The ACM also surfaces management interfaces to end users and administrators.
Object stores, such as Google Drive and Amazon Web Services (AWS), or email servers, such as Google and Microsoft Exchange, store encrypted content. The Virtru Zero Trust Architecture ensures separation of keys and content at all times. In instances when Virtru has the keys, it cannot access the content. In instances when Virtru services have the content, Virtru does not have access to the keys. Virtru services do not have the ability to decrypt content by separating either the encryption keys or the encrypted content.
Virtru allows authorized parties to receive and decrypt protected content without installing Virtru’s software. To access protected content, recipients must authenticate with the Virtru ACM. To do this, they use their existing email credentials, rather than having to establish new usernames or passwords. The ACM supports Federated Authentication via OAuth, SAML, and OpenID. The ACM grants Access Control Keys to authorized parties once they have authenticated. These keys are then used to decrypt content on the recipient’s device.
When using Virtru to protect files hosted in cloud service object stores, such as Google Drive, the content creator’s client encrypts files using a browser extension or other Virtru-enabled clients. Virtru clients generate separate AES-256 bit Access Control Keys to encrypt each file. Access control policies may also be applied at this time, either manually via the user or automatically via Data Loss Prevention (DLP) rules that are preconfigured by administrators. Examples of access control policies include: authorizing a party’s access, setting expiration for this access, and enhancing content protection via PDF watermarking or download disablement.
Once the content is encrypted, it is uploaded via TLS to the cloud service object store. An object level Access Control Key and Access Control policy are also uploaded to the Virtru ACM Server at this time, again via TLS.
The content and Access Control Key remain in separately-controlled systems until a content consumer requests access to the encrypted file. The Virtru Zero Trust Architecture ensures that Virtru services never have access to the cloud object store. After authenticating, the content consumer receives access to the decryption key required to view the unencrypted content on any device.
When using Virtru to secure emails, all messages and attachments are encrypted with AES 256-bit Access Control Keys on the content creator’s client via a browser extension, Microsoft Outlook plug-in, mobile app, or other Virtru-enabled client. Access control policies may also be applied at this time, either manually via the user or automatically via Data Loss Prevention (DLP) rules that are preconfigured by administrators. Examples of access control policies include: authorizing a party’s access, setting expiration for this access, and enhancing content protection via PDF watermarking or download disablement.
Once email bodies are encrypted, they are sent via TLS to the email server that will eventually deliver this content to authorized recipients. Cloud providers, such as Google and Microsoft, cannot access unencrypted content or decrypt content on their servers because they do not have access to the keys stored in the Virtru ACM. To allow recipients to read emails without installing Virtru’s software, Virtru utilizes an external object store, such as Amazon S3, to surface encrypted emails.
The sending Virtru client creates a copy of the encrypted email and any file attachments, re-encrypts them with a separate key, known as a Split Knowledge Key, and sends the re-encrypted content to the designated object store. The Split Knowledge Key is stored inside the email, which is eventually delivered to the sender’s specified recipients. Virtru services do not have access to the sender’s or the recipient’s email servers, ensuring that encrypted content stored in the external object store cannot be decrypted outside of a Virtru client.
For each object, such as the individual email bodies and attachments, an individual Access Control Key is created and sent to the Virtru ACM. The content and key remain separate until a content consumer requests access to the encrypted email content. After authenticating, the content consumer receives access to both the Access Control Key (from the ACM) and the Split Knowledge Key (from the receiving email server). The Split Knowledge Key decrypts the Access Control Key, which decrypts the original email content.