Microsoft Copilot processes and stores data from Microsoft 365 services, including chat histories, file references, and grounded responses. When data is stored, Microsoft encrypts it at rest using a layered key hierarchy. Understanding this hierarchy and how often encryption keys are rotated helps IT administrators evaluate data protection and compliance readiness. This article explains the key layers, the rotation schedule, and how Copilot inherits its encryption model from Microsoft 365.
Key Takeaways: Copilot Encryption at Rest
- Microsoft 365 Service Encryption with Customer Key: Copilot data inherits the same tenant-level encryption keys used by Exchange Online, SharePoint Online, and OneDrive for Business.
- Three-layer key hierarchy: Data Encryption Keys DEKs are wrapped by Key Encryption Keys KEKs, which are wrapped by a Tenant Key. Each layer is rotated on a separate cadence.
- Default rotation cadence: Microsoft automatically rotates Tenant Keys every 28 days. Customer-managed keys with Customer Key follow a 90-day rotation policy.
Copilot Data Encryption at Rest: The Key Hierarchy
Copilot does not introduce a separate encryption system. It uses the same encryption at rest model that Microsoft 365 applies to Exchange Online, SharePoint Online, and OneDrive for Business. The encryption relies on a three-layer key hierarchy.
Layer 1: Data Encryption Key DEK
A Data Encryption Key is a symmetric 256-bit AES key. Each piece of data stored on disk, such as a Copilot chat session or a grounded response file, is encrypted with its own DEK. DEKs are generated per blob or per file. They are never stored in plaintext.
Layer 2: Key Encryption Key KEK
A Key Encryption Key encrypts the DEK. Each DEK is wrapped by a KEK before being stored in the key store. KEKs are also symmetric 256-bit AES keys. Multiple DEKs can share the same KEK within a logical partition of data.
Layer 3: Tenant Key
The Tenant Key sits at the top of the hierarchy. It wraps the KEKs. Microsoft manages the Tenant Key by default, but tenants can use Customer Key to provide their own key stored in Azure Key Vault. The Tenant Key is the root of trust for all Copilot data in that tenant.
Rotation Cadence for Each Key Layer
Microsoft rotates keys on a fixed schedule to limit the impact of a key compromise. Each layer has a different rotation cadence.
DEK Rotation
Data Encryption Keys are rotated every time the underlying blob or file is rewritten. This means every time Copilot saves an updated chat or a new grounded response, a new DEK is generated. The old DEK is retired after a 30-day grace period during which it can still decrypt old data. After 30 days the old DEK is permanently deleted.
KEK Rotation
Key Encryption Keys rotate every 90 days. Microsoft performs the rotation automatically. The old KEK is retained for 90 days after rotation to allow rewrap of any DEKs that still reference it. After 90 days the old KEK is deleted.
Tenant Key Rotation Default
For tenants using Microsoft-managed Tenant Keys, the rotation occurs every 28 days. The old Tenant Key is kept for 180 days to ensure all wrapped KEKs can be unwrapped. After 180 days the old key is purged.
Tenant Key Rotation with Customer Key
When a tenant uses Customer Key, the rotation schedule changes. The tenant administrator must trigger a key rotation in the Microsoft 365 admin center. Microsoft recommends rotating every 90 days. If the tenant does not rotate within 120 days, Microsoft automatically rotates the key to maintain security. The old key is retained for 90 days after rotation.
How Copilot Data Is Encrypted at Rest
Copilot stores several types of data that are encrypted at rest: chat history, file references, grounded response text, and metadata. Each data type is stored in the same Microsoft 365 storage infrastructure as the source service.
For example, when Copilot in Word references a document stored in OneDrive for Business, the document itself is encrypted with the SharePoint Online encryption layer. The Copilot chat session that references it is stored in the Copilot service partition and encrypted with the tenant-level key hierarchy. The chat session DEK is wrapped by the tenant KEK, which is wrapped by the Tenant Key.
This design means that if an attacker gains access to the physical disk, they cannot read any Copilot data without first decrypting the Tenant Key. Even if a single DEK is compromised, only that specific blob is exposed. The rest of the tenant data remains protected.
Common Misconceptions About Copilot Encryption
Copilot Uses a Separate Encryption Key from Microsoft 365
This is false. Copilot inherits the same key hierarchy that Microsoft 365 uses for Exchange Online, SharePoint Online, and OneDrive for Business. There is no separate Copilot-specific key store. The Tenant Key that protects your mailbox also protects your Copilot chat data.
Customer Key Gives Microsoft Access to Your Data
Customer Key stores the Tenant Key in Azure Key Vault under tenant control. Microsoft cannot access the key. If you use Customer Key, Microsoft cannot decrypt your Copilot data even if required by law. You must provide the key during a data recovery operation.
Key Rotation Requires Downtime
Key rotation is a background operation. Copilot remains fully available during rotation. Old keys are retained for a grace period so existing encrypted data can still be read. New data uses the new key immediately.
Copilot Encryption at Rest: Default vs Customer Key
| Item | Default Microsoft-Managed Key | Customer Key Bring Your Own Key |
|---|---|---|
| Key ownership | Microsoft manages the Tenant Key | Tenant manages the Tenant Key in Azure Key Vault |
| Tenant Key rotation cadence | Every 28 days automatically | Every 90 days recommended, admin-triggered |
| Old key retention period | 180 days after rotation | 90 days after rotation |
| Ability to revoke key | Not possible | Admin can revoke key access at any time |
| Data recovery without key | Microsoft can recover using internal key | Data is unrecoverable without tenant key |
| Compliance certifications | FedRAMP High, SOC 2, ISO 27001 | All default plus EU Model Clauses and HIPAA BAA |
Limitations and Edge Cases
Customer Key Is Not Available in All Plans
Customer Key is available only in Microsoft 365 E5, Microsoft 365 E5 Compliance, and Office 365 E5. Tenants with Copilot for Microsoft 365 but without an E5 license cannot use Customer Key. They must use the default Microsoft-managed Tenant Key.
Multi-Geo Tenants Have Separate Tenant Keys
If your tenant uses Microsoft 365 Multi-Geo, each geography has its own Tenant Key. Copilot data stored in a specific geography is encrypted with that geography’s key. Key rotation cadence applies independently per geography.
Copilot Chat History Is Not Encrypted with the Source File Key
A Copilot chat that references a Word document does not use the Word document’s DEK. The chat session has its own DEK wrapped by the tenant KEK. This means revoking the Word document key does not affect the chat session key. The chat session remains readable until its own DEK is rotated and the old DEK expires.
Verifying Your Tenant Encryption Configuration
To check whether your tenant uses the default key or Customer Key, follow these steps.
- Open the Microsoft 365 admin center
Go to admin.microsoft.com and sign in with Global Administrator credentials. - Navigate to Settings > Org settings > Security & privacy
Select Security & privacy from the list of organization settings. - Select Customer Key
If Customer Key is enabled, you will see the key URIs for each workload. If the page shows a message that Customer Key is not configured, your tenant uses the default Microsoft-managed key.
You can now describe the Copilot encryption key hierarchy and rotation cadence to your compliance team. Review your tenant’s Customer Key status to decide whether a bring-your-own-key strategy is needed for Copilot data. For tenants that require maximum control, enable Customer Key and configure a 90-day manual rotation policy in Azure Key Vault.