Virtru Encryption as a Service (EaaS)


Virtru is the first data-centric content encryption solution that doesn't compromise on security or usability. Our unique approach allows for ease of use, widespread adoption and pervasive protection.

A Fresh Approach to a Complex Challenge



Pervasive Protection

Protect all content types from the time of creation.

Easy Sharing

Share content with anyone inside or outside the enterprise, without the need for complicated key exchange or other technical complexity.

Transparent Integration

Integrate easily with existing applications and workflows, adding security without hampering user productivity.

Data Centric Security Powered by the TDF

The Virtru EaaS Architecture leverages the open Trusted Data Format (TDF) standard. When you encrypt with Virtru, your content is wrapped in a secure TDF envelope on your device. Only authorized parties can open the envelope to decrypt and access your content.

Virtru EaaS Functional Architecture

The Virtru EaaS Architecture is broadly composed of three components illustrated in the figure below: content creators, the Virtru EaaS Server, and authorized content consumers.



On the client side, Virtru encryption libraries enable applications to encrypt and decrypt content. These libraries communicate with the Virtru EaaS server APIs that centralize content access control.

The cloud-based Virtru EaaS server provides the core functions of key, identity, and access management. It contains the following modules:


Key Manager: Enables acess to the encryption and decryption keys by authorized users.

Access Manager: Allows content owners to assert, manage, and revoke who has access to sensitive material and for how long.

Identity Management: Authenticates and verifies content consumers using either federated identity services (eg: OAuth) or email confirmations.

Admin Controls: Provides dashboards for users and administrators to easily manage encryption keys and set centralized data loss prevention policies.

EaaS APIs: Enables Virtru enabled applications to communicate with the EaaS Server.


To streamline identity management, Virtru leverages existing identity providers such as OAuth, Open ID, and SAML. This allows content creators and consumers to authenticate using existing online identities, with no need to establish new accounts or credentials.

A 5 Step Example

The following steps outline a worked example of the high-level architecture used to achieve EaaS for a Virtru-supported email service. The numbers indicate the five main steps in the process.

Step 1

Content Encryption. The sender places content into a Virtru-enabled email client and indicates that the content should be protected. When the sender attempts to send the email, the email client encrypts the content. In order to perform this encryption, the email client generates a new secret key specifically for protecting the content; the recipient must have this key to decrypt the content. The email client also creates a security policy for this content, which defines, through metadata assertions, any access control restrictions on recipient behavior (for example, when the content should expire, if ever).

Step 2

Content Distribution and Access Control Management. The sender’s email client takes care of distributing the content, such as sending an encrypted email message to the appropriate local mail server for processing. At the same time, the sender’s email client also handles access control management. This involves transferring the content’s secret key and the associated security policy to a Virtru EaaS server for storage until needed.

Step 3

User Authentication. When the recipient attempts to access the protected content through the recipient’s Virtru-enabled email client, this triggers a three-party user authentication session between the email client, the Virtru EaaS server, and the third-party Identity Provider service holding the recipient’s user credentials. All three major federated identity protocols – OAuth, OpenID, and the Security Assertion Markup Language (SAML) – are supported by Virtru for user authentication. Because the Virtru-enabled application coordinates all the communications between the EaaS server and the identity provider service, Virtru servers never have access to the user’s authentication credentials.

Step 4

Key and Contract Distribution. If user authentication is successful, the Virtru EaaS server provides the protected content key and security contract to the recipient’s Virtru-enabled email client.

Step 5

Content Decryption. If the terms of the security contract are met, such as the content not having already being expired by the sender, the recipient’s email client uses the key to decrypt the protected content, making it available to the authorized recipient.

Looking to Dig Deeper? Download our White Paper

Client-Side Data Security with Virtru Encryption as a Service (EaaS).

Download Now

Need more information?

Request a demo.