Merge pull request #208856 from b-ahibbard/anf-customer-managed-keys

Customer-managed keys

Author: v-dirichards

articles/azure-netapp-files/TOC.yml

@@ -237,6 +237,8 @@
         href: configure-access-control-lists.md
       - name: Configure network features for a volume
         href: configure-network-features.md
+      - name: Configure customer-managed keys 
+        href: configure-customer-managed-keys.md
       - name: Configure Virtual WAN
         href: configure-virtual-wan.md
     - name: Mount volumes

articles/azure-netapp-files/configure-customer-managed-keys.md

@@ -6,7 +6,7 @@ ms.workload: storage
 ms.topic: conceptual
 author: b-hchen
 ms.author: anfdocs
-ms.date: 04/08/2021
+ms.date: 02/21/2023
 ms.custom: references_regions
 ---
 # Security FAQs for Azure NetApp Files
@@ -15,9 +15,9 @@ This article answers frequently asked questions (FAQs) about Azure NetApp Files
 
 ## Can the network traffic between the Azure VM and the storage be encrypted?
 
-Azure NetApp Files data traffic is inherently secure by design, as it does not provide a public endpoint and data traffic stays within customer-owned VNet. Data-in-flight is not encrypted by default. However, data traffic from an Azure VM (running an NFS or SMB client) to Azure NetApp Files is as secure as any other Azure-VM-to-VM traffic. 
+Azure NetApp Files data traffic is inherently secure by design, as it doesn't provide a public endpoint, and data traffic stays within customer-owned VNet. Data-in-flight isn't encrypted by default. However, data traffic from an Azure VM (running an NFS or SMB client) to Azure NetApp Files is as secure as any other Azure-VM-to-VM traffic. 
 
-NFSv3 protocol does not provide support for encryption, so this data-in-flight cannot be encrypted. However, NFSv4.1 and SMB3 data-in-flight encryption can optionally be enabled. Data traffic between NFSv4.1 clients and Azure NetApp Files volumes can be encrypted using Kerberos with AES-256 encryption. See [Configure NFSv4.1 Kerberos encryption for Azure NetApp Files](configure-kerberos-encryption.md) for details. Data traffic between SMB3 clients and Azure NetApp Files volumes can be encrypted using the AES-CCM algorithm on SMB 3.0, and the AES-GCM algorithm on SMB 3.1.1 connections. See [Create an SMB volume for Azure NetApp Files](azure-netapp-files-create-volumes-smb.md) for details. 
+NFSv3 protocol doesn't provide support for encryption, so this data-in-flight can't be encrypted. However, NFSv4.1 and SMB3 data-in-flight encryption can optionally be enabled. Data traffic between NFSv4.1 clients and Azure NetApp Files volumes can be encrypted using Kerberos with AES-256 encryption. See [Configure NFSv4.1 Kerberos encryption for Azure NetApp Files](configure-kerberos-encryption.md) for details. Data traffic between SMB3 clients and Azure NetApp Files volumes can be encrypted using the AES-CCM algorithm on SMB 3.0, and the AES-GCM algorithm on SMB 3.1.1 connections. See [Create an SMB volume for Azure NetApp Files](azure-netapp-files-create-volumes-smb.md) for details. 
 
 ## Can the storage be encrypted at rest?
 
@@ -29,15 +29,17 @@ Azure NetApp Files cross-region replication uses TLS 1.2 AES-256 GCM encryption
 
 ## How are encryption keys managed? 
 
-Key management for Azure NetApp Files is handled by the service. A unique XTS-AES-256 data encryption key is generated for each volume. An encryption key hierarchy is used to encrypt and protect all volume keys. These encryption keys are never displayed or reported in an unencrypted format. Encryption keys are deleted immediately when a volume is deleted.
+Key management for Azure NetApp Files is handled by the service. A unique XTS-AES-256 data encryption key is generated for each volume. An encryption key hierarchy is used to encrypt and protect all volume keys. These encryption keys are never displayed or reported in an unencrypted format. When you delete a volume, Azure NetApp Files immediately deletes the volume's encryption keys.
 
-Support for customer-managed keys (Bring Your Own Key) using Azure Dedicated HSM is available on a controlled basis in the East US, South Central US, West US 2, and US Gov Virginia regions. You can request access at [[email protected]](mailto:[email protected]). As capacity becomes available, requests will be approved.
+Customer-managed keys (Bring Your Own Key) using Azure Dedicated HSM is supported on a controlled basis. Support is currently available in the East US, South Central US, West US 2, and US Gov Virginia regions. You can request access at [[email protected]](mailto:[email protected]). As capacity becomes available, requests will be approved.
+
+[Customer-managed keys](configure-customer-managed-keys.md) are available with limited regional support.
 
 ## Can I configure the NFS export policy rules to control access to the Azure NetApp Files service mount target?
 
 Yes, you can configure up to five rules in a single NFS export policy.
 
-## Can I use Azure RBAC with Azure NetApp Files?
+## Can I use Azure role-based access control (RBAC) with Azure NetApp Files?
 
 Yes, Azure NetApp Files supports Azure RBAC features. Along with the built-in Azure roles, you can [create custom roles](../role-based-access-control/custom-roles.md) for Azure NetApp Files. 
 
@@ -53,7 +55,7 @@ For the complete list of API operations, see [Azure NetApp Files REST API](/rest
 
 Yes, you can create [custom Azure policies](../governance/policy/tutorials/create-custom-policy-definition.md). 
 
-However, you cannot create Azure policies (custom naming policies) on the Azure NetApp Files interface. See [Guidelines for Azure NetApp Files network planning](azure-netapp-files-network-topologies.md#considerations).
+However, you can't create Azure policies (custom naming policies) on the Azure NetApp Files interface. See [Guidelines for Azure NetApp Files network planning](azure-netapp-files-network-topologies.md#considerations).
 
 ## When I delete an Azure NetApp Files volume, is the data deleted safely? 
 

articles/azure-netapp-files/faq-security.md

@@ -21,6 +21,12 @@ Azure NetApp Files is updated regularly. This article provides a summary about t
 
 ## February 2023
 
+* [Customer-managed keys](configure-customer-managed-keys.md) (Preview)
+
+    Azure NetApp Files volumes now support encryption with customer-managed keys and Azure Key Vault to enable an extra layer of security for data at rest.  
+    
+    Data encryption with customer-managed keys for Azure NetApp Files allows you to bring your own key for data encryption at rest. You can use this feature to implement separation of duties for managing keys and data. Additionally, you can centrally manage and organize keys using Azure Key Vault. With customer-managed encryption, you are in full control of, and responsible for, a key's lifecycle, key usage permissions, and auditing operations on keys. 
+ 
 * [Capacity pool enhancement](azure-netapp-files-set-up-capacity-pool.md) (Preview)
 
     Azure NetApp Files now supports a lower limit of 2 TiB for capacity pool sizing with Standard network features.