Skip to main content

Setting Up Customer Managed Encryption Keys

This article walks through the end-to-end process of enabling Customer Managed Encryption Keys (CMEK) for a location. Before you begin, confirm the following prerequisites are in place.

Prerequisites

  • The location must be on the Enterprise subscription tier.

  • You must have contacted Xakia via support@xakiatech.com to have the CMEK feature enabled for your location.

  • You must have an Azure Key Vault instance with an encryption key already created.

  • You must have Azure Global Administrator permissions to grant application consent.

Step 1 — Select Customer Managed in Document Management

  1. In Admin, navigate to Advanced Features > Document Management.

  2. Scroll to the Encryption Key section at the bottom of the page.

    • This section is only visible when Document Management is enabled for the location.

    • It defaults to Xakia Managed.

  3. Select Customer Managed.

Step 2 — Grant application consent

Xakia uses an Azure application called Xakia CMEK to authenticate to your Azure tenant and access your Key Vault. You must grant consent for this application before the integration can proceed.

  1. Click Get the App within the Customer Managed setup panel.

  2. Sign in with your Azure Global Administrator credentials when prompted.

  3. Review the permissions requested by the Xakia CMEK application and click Accept.

  4. You will be redirected back to Xakia, where the consent timestamp will be recorded.

Step 3 — Configure the Key Vault connection

Next, tell Xakia where to find your encryption key.

  1. In the setup panel, enter your Key Vault URI.

    • You can find this on the Overview page of your Key Vault instance in the Azure Portal — it is labelled Vault URI.

  2. Enter the Key Name — the name of the specific key within that vault that Xakia should use.

  3. Click Save.

Xakia will immediately validate the configuration in the background, checking that it can connect to the vault and that the key has the required operations enabled. Any validation errors will be displayed inline with guidance on how to resolve them.

The following prerequisites must be met:

  1. The Xakia app is given Get, WrapKey and UnwrapKey permissions on your Key Vault

  2. The Key Type is RSA

  3. The Key operations include WrapKey and UnwrapKey

  4. The Key Vault has Soft Delete enabled

  5. The Key Vault has Purge Protection enabled

Once the configuration reads Configuration is valid, you are ready to proceed.

Step 4 — Enable CMEK

Click the Enabled toggle.

From this point on, all document content uploaded to this location will be encrypted and decrypted using your key. This also applies to document preview images.

Important: Documents uploaded before CMEK was enabled were encrypted with Xakia's managed key. Those documents will continue to function normally. Only new uploads from this point forward use your key.

Verifying the setup

To confirm CMEK is working correctly:

  1. Upload a document to a matter in the location.

  2. Verify that the document preview renders as expected.

  3. Download the document and confirm the content is intact.

  4. In your Azure Key Vault, disable the encryption key.

  5. Return to Xakia, perform a hard refresh and empty your browsers cache. Attempt to preview or download the same document — both actions should now return an error, confirming Xakia can no longer access the content without your key.

  6. Re-enable the key in Azure. The document preview and download will work again immediately.

Revoking access (offboarding)

When you are ready to offboard or wish to permanently revoke Xakia's access to your documents:

In your Azure Key Vault, disable or delete the encryption key, or remove the Xakia CMEK application's access.

Once this is done, Xakia has no means of decrypting any document content stored for that location. No further action within Xakia is required.

Did this answer your question?