Skip to content

Control 2.8: Encryption (Data in Transit and at Rest)

Control ID: 2.8 Pillar: Security & Protection Regulatory Reference: GLBA 501(b), FFIEC, NYDFS Part 500 Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated

Objective

Verify and enforce comprehensive encryption for all data processed by Microsoft 365 Copilot — including data in transit between client applications and Microsoft services, data at rest in Microsoft 365 storage, and data during AI processing. Financial institutions must confirm that encryption standards meet regulatory requirements (NYDFS Part 500, FFIEC guidelines) and understand the implications of customer-managed keys (CMK) and double key encryption (DKE) for Copilot functionality.

Why This Matters for FSI

  • GLBA 501(b) requires safeguards to protect customer information — encryption is a fundamental technical safeguard for data in transit and at rest
  • NYDFS Part 500 (Section 500.15) specifically requires encryption of nonpublic information (NPI) both in transit over external networks and at rest, based on risk assessment — Copilot data flows must meet these encryption requirements
  • FFIEC IT Examination Handbook (Information Security) expects strong encryption for sensitive data in transit and at rest — examiners will evaluate whether AI processing maintains encryption standards
  • OCC Bulletin 2001-47 and related guidance expects banks to maintain encryption standards for outsourced data processing — Copilot's cloud-based processing must meet these standards
  • PCI DSS (if applicable) requires encryption of cardholder data in transit and at rest — firms processing payment card data through M365 must verify Copilot does not weaken PCI compliance
  • SOX Section 404 internal controls should address encryption key management — key management practices for Copilot-accessible content affect SOX control assessments

Control Description

Microsoft 365 Copilot inherits the encryption protections of the underlying M365 platform while adding considerations specific to AI processing.

Encryption Layers for Copilot

Layer Protection Standard Copilot-Specific Notes
Transport encryption Data in transit TLS 1.2+ (TLS 1.3 supported) All Copilot API calls use TLS; client-to-service and service-to-service
Service encryption Data at rest (Microsoft-managed) AES-256 Default encryption for all M365 content Copilot accesses
Customer Key (CMK) Data at rest (customer-managed root keys) AES-256 with customer-controlled keys Copilot can access CMK-encrypted content; key hierarchy maintained
Double Key Encryption (DKE) Data at rest (dual-key protection) AES-256 with two keys (Microsoft + customer) Copilot CANNOT access DKE-encrypted content — by design
Sensitivity label encryption Document-level encryption Azure RMS / AES-256 Copilot respects label-based encryption; may not process encrypted-only content
BitLocker Device-level encryption AES-128/256 Protects cached Copilot data on managed devices

Encryption in the Copilot Data Flow

Client Device                Microsoft 365 Cloud                AI Processing
┌──────────┐    TLS 1.2+    ┌─────────────────┐   Internal    ┌────────────┐
│          │ ──────────────→ │                 │   Encryption  │            │
│ Copilot  │                 │  M365 Service   │ ────────────→ │  Azure     │
│ Client   │                 │  Layer          │               │  OpenAI    │
│          │ ←────────────── │                 │ ←──────────── │  Service   │
│ BitLocker│    TLS 1.2+    │ AES-256 at Rest │   Internal    │  (no store)│
└──────────┘                 └─────────────────┘   Encryption  └────────────┘
                              ┌──────┴──────┐
                              │ Key Options  │
                              │             │
                              ├─ Microsoft- │
                              │   managed   │
                              ├─ Customer   │
                              │   Key (CMK) │
                              └─ Double Key │
                                (DKE-blocked)│
                              └─────────────┘

TLS Configuration Details

Protocol Status Notes
TLS 1.3 Supported Recommended where client supports
TLS 1.2 Required minimum Mandatory for all Copilot connections
TLS 1.1 Deprecated Blocked by Microsoft
TLS 1.0 Deprecated Blocked by Microsoft
SSL 3.0 Deprecated Blocked by Microsoft

Cipher Suite Requirements

Cipher Suite TLS Version Strength Status
TLS_AES_256_GCM_SHA384 1.3 Strong Preferred
TLS_AES_128_GCM_SHA256 1.3 Strong Supported
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 1.2 Strong Supported
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 1.2 Strong Supported
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 1.2 Strong Supported

Customer Key vs. Double Key Encryption

Feature Customer Key (CMK) Double Key Encryption (DKE)
Key control Customer controls root keys in Azure Key Vault Customer controls one key entirely (on-premises or HSM)
Microsoft access Microsoft can access data for service operations Microsoft cannot access data without customer's key
Copilot compatibility Compatible — Copilot can process CMK-encrypted content Not compatible — Copilot cannot process DKE content
Use case Standard enhanced key control Highest-sensitivity data where Microsoft must not access
FSI application General customer data, business records Regulatory examination files, SAR documents, board materials
Performance impact Minimal Moderate — requires key service availability

Copilot Surface Coverage

M365 Application TLS in Transit Service Encryption at Rest CMK Compatible DKE Blocks Copilot Notes
Microsoft 365 Copilot Chat Yes Yes Yes Yes All transport and storage encrypted
Word Yes Yes Yes Yes Document-level encryption supported
Excel Yes Yes Yes Yes Workbook encryption supported
PowerPoint Yes Yes Yes Yes Presentation encryption supported
Outlook Yes Yes Yes Yes Email encryption (S/MIME, OME)
Teams Yes Yes Yes Yes Chat and meeting content encrypted
OneNote Yes Yes Yes Yes Notebook encryption supported
Loop Yes Yes Yes N/A Loop workspace encryption
Copilot Pages Yes Yes Yes N/A Pages stored encrypted
SharePoint (Agents) Yes Yes Yes Yes Site-level encryption controls

Governance Levels

Level Requirement Rationale
Baseline Verify TLS 1.2+ enforcement for all M365/Copilot connections; confirm service encryption (AES-256) is active for all workloads; document encryption posture in security architecture documents Confirms that default Microsoft encryption standards are in place — meets minimum GLBA and FFIEC expectations
Recommended Implement Customer Key for enhanced key control over M365 data at rest; configure Azure Key Vault with HSM-backed keys; use DKE for highest-sensitivity content (regulatory files, board materials) with documented understanding that DKE blocks Copilot access; annual encryption configuration review Provides customer-controlled key management while maintaining Copilot functionality for most content — appropriate for most FSI firms
Regulated All Recommended requirements plus: TLS 1.3 preferred where supported; certificate pinning for managed devices; Customer Key with dual-region key vault configuration; DKE deployed for all "Highly Confidential" labeled content; key rotation schedule (annual minimum); encryption key audit by external auditor; FIPS 140-2 Level 3 validated HSMs for key storage Maximum encryption governance with full key lifecycle management — designed for NYDFS-regulated entities and firms under heightened supervisory attention

Setup & Configuration

Step 1: Verify TLS Enforcement

# Check TLS configuration for Exchange Online
Get-TransportConfig | Format-List TlsSendDomainSecureList, TlsReceiveDomainSecureList

# Test TLS connectivity to M365 endpoints
Test-NetConnection -ComputerName "outlook.office365.com" -Port 443

# Verify TLS version in use (from client perspective)
[Net.ServicePointManager]::SecurityProtocol

Step 2: Verify Service Encryption

Portal: Microsoft 365 Admin Center > Settings > Org settings > Services > Encryption

  1. Confirm "Service Encryption" shows "Active" for all workloads
  2. Verify encryption key type (Microsoft-managed or Customer Key)

Step 3: Configure Customer Key (Recommended/Regulated)

Prerequisites: Azure subscription, Azure Key Vault (Premium SKU for HSM), Global Admin + Compliance Admin roles

# Create Azure Key Vault for Customer Key
New-AzKeyVault -Name "FSI-M365-CustomerKey-EUS" `
  -ResourceGroupName "rg-m365-encryption" `
  -Location "East US" `
  -Sku Premium

# Create a second Key Vault in a different region (required for resiliency)
New-AzKeyVault -Name "FSI-M365-CustomerKey-WUS" `
  -ResourceGroupName "rg-m365-encryption" `
  -Location "West US" `
  -Sku Premium

# Generate encryption keys
Add-AzKeyVaultKey -VaultName "FSI-M365-CustomerKey-EUS" `
  -Name "M365-DEP-Key" -Destination HSM

Add-AzKeyVaultKey -VaultName "FSI-M365-CustomerKey-WUS" `
  -Name "M365-DEP-Key" -Destination HSM

Step 4: Create Data Encryption Policy (DEP)

# Connect to Exchange Online
Connect-ExchangeOnline

# Create DEP for Exchange Online
New-DataEncryptionPolicy -Name "FSI-EXO-DEP" `
  -AzureKeyIDs "https://fsi-m365-customerkey-eus.vault.azure.net/keys/M365-DEP-Key", `
               "https://fsi-m365-customerkey-wus.vault.azure.net/keys/M365-DEP-Key"

# Assign DEP to mailboxes
Set-Mailbox -Identity "user@firm.com" -DataEncryptionPolicy "FSI-EXO-DEP"

Step 5: Configure Double Key Encryption (Regulated)

  1. Deploy the DKE service (Azure App Service or on-premises)
  2. Configure DKE-protected sensitivity labels in Microsoft Purview
  3. Apply DKE labels to highest-sensitivity content
  4. Understand: DKE-labeled content is inaccessible to Copilot — this is the intended behavior

Step 6: Configure BitLocker Enforcement (Intune)

Portal: Microsoft Intune Admin Center > Endpoint security > Disk encryption

  1. Create BitLocker policy requiring AES-256 encryption
  2. Require TPM 2.0 for BitLocker key storage
  3. Configure recovery key escrow to Entra ID
  4. Assign policy to all Copilot user devices

Financial Sector Considerations

  • NYDFS Part 500 Compliance: Section 500.15 requires encryption of NPI in transit and at rest. For NYDFS-regulated entities, document that Copilot data flows meet these requirements: TLS 1.2+ in transit, AES-256 at rest, and key management controls appropriate to data sensitivity.
  • DKE as a Copilot Exclusion Mechanism: DKE effectively blocks Copilot from accessing content. Financial firms can use this strategically: apply DKE to content that must never be processed by AI (SARs, examination correspondence, board materials) while using CMK for content that should benefit from Copilot.
  • Key Management Governance: Customer Key requires ongoing key management — rotation, access control, monitoring, and disaster recovery. Assign key management responsibilities to a specific team and document procedures. Key compromise or loss can result in data inaccessibility.
  • Availability Key: Microsoft's Customer Key implementation includes an "availability key" that Microsoft can use to recover data if customer keys are lost. Financial firms should understand this mechanism and its implications for their control posture.
  • FIPS Compliance: FFIEC and NYDFS expect encryption implementations to meet recognized standards. Azure Key Vault Premium SKU uses FIPS 140-2 Level 2 validated HSMs. For Level 3 validation, consider Azure Dedicated HSM or Managed HSM.
  • Examination Evidence: Maintain documentation showing encryption configuration, key management procedures, and periodic validation results. Examiners will ask about encryption standards for AI processing.
  • Performance Considerations: DKE adds latency to content access because the customer's key service must be available for decryption. Plan capacity and availability accordingly for DKE-protected content.

Verification Criteria

  1. TLS Enforcement: Verify that all connections to M365/Copilot services use TLS 1.2 or higher — test from representative client devices and network locations
  2. Service Encryption Active: Confirm in the M365 Admin Center that service encryption is active for Exchange, SharePoint, and OneDrive
  3. Customer Key Status (if implemented): Verify DEP assignment and encryption status for Customer Key-protected content
  4. DKE Enforcement: Attempt to access DKE-labeled content via Copilot — confirm that Copilot cannot process the content
  5. Key Vault Health: Verify Azure Key Vault is accessible, keys are not expired, and access policies are correctly configured
  6. BitLocker Compliance: Confirm device encryption compliance reports in Intune show >99% compliance for Copilot user devices
  7. Cipher Suite Validation: Verify that only approved cipher suites are in use for M365 connections (no weak ciphers)
  8. Key Rotation Status: Confirm key rotation has been performed within the required cadence (annual minimum for Regulated)
  9. Encryption Documentation: Verify that encryption architecture documentation exists, is current, and includes Copilot data flows
  10. FIPS Validation: Confirm that encryption implementations use FIPS 140-2 validated modules (Level 2 minimum, Level 3 for Regulated)

Additional Resources