MicrosoftDocs
diff --git a/‎articles/cognitive-services/Content-Moderator/content-moderator-encryption-of-data-at-rest.md
Lines changed: 40 additions & 0 deletions b/‎articles/cognitive-services/Content-Moderator/content-moderator-encryption-of-data-at-rest.md
Lines changed: 40 additions & 0 deletions
diff --git a/‎articles/cognitive-services/Content-Moderator/toc.yml
Lines changed: 2 additions & 0 deletions b/‎articles/cognitive-services/Content-Moderator/toc.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/cognitive-services/Encryption/cognitive-services-encryption-keys-portal.md
Lines changed: 107 additions & 0 deletions b/‎articles/cognitive-services/Encryption/cognitive-services-encryption-keys-portal.md
Lines changed: 107 additions & 0 deletions
diff --git a/‎articles/cognitive-services/Face/face-encryption-of-data-at-rest.md
Lines changed: 34 additions & 0 deletions b/‎articles/cognitive-services/Face/face-encryption-of-data-at-rest.md
Lines changed: 34 additions & 0 deletions
diff --git a/‎articles/cognitive-services/Face/toc.yml
Lines changed: 3 additions & 1 deletion b/‎articles/cognitive-services/Face/toc.yml
Lines changed: 3 additions & 1 deletion
diff --git a/‎articles/cognitive-services/LUIS/luis-encryption-of-data-at-rest.md
Lines changed: 92 additions & 0 deletions b/‎articles/cognitive-services/LUIS/luis-encryption-of-data-at-rest.md
Lines changed: 92 additions & 0 deletions
diff --git a/‎articles/cognitive-services/LUIS/toc.yml
Lines changed: 2 additions & 0 deletions b/‎articles/cognitive-services/LUIS/toc.yml
Lines changed: 2 additions & 0 deletions
@@ -0,0 +1,40 @@
+---
+title: Content Moderator encryption of data at rest
+titleSuffix: Azure Cognitive Services
+description: Content Moderator encryption of data at rest.
+author: erindormier
+manager: venkyv
+
+ms.service: cognitive-services
+ms.subservice: content-moderator
+ms.topic: conceptual
+ms.date: 03/13/2020
+ms.author: egeaney
+#Customer intent: As a user of the Content Moderator service, I want to learn how encryption at rest works.
+---
+
+# Content Moderator encryption of data at rest
+
+Content Moderator automatically encrypts your data when it is persisted to the cloud, helping to meet your organizational security and compliance goals.
+
+[!INCLUDE [cognitive-services-about-encryption](../../../includes/cognitive-services-about-encryption.md)]
+
+> [!IMPORTANT]
+> Customer-managed keys are only available on the E0 pricing tier. To request the ability to use customer-managed keys, fill out and submit the [Content Moderator Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk). It will take approximately 3-5 business days to hear back on the status of your request. Depending on demand, you may be placed in a queue and approved as space becomes available. Once approved for using CMK with the Content Moderator service, you will need to create a new Content Moderator resource and select E0 as the Pricing Tier. Once your Content Moderator resource with the E0 pricing tier is created, you can use Azure Key Vault to set up your managed identity.
+
+[!INCLUDE [cognitive-services-cmk](../../../includes/cognitive-services-cmk-regions.md)]
+
+[!INCLUDE [cognitive-services-cmk](../../../includes/cognitive-services-cmk.md)]
+
+## Enable data encryption for your Content Moderator Team
+
+To enable data encryption for your Content Moderator Review Team, see the [Quickstart: Try Content Moderator on the web](quick-start.md#create-a-review-team).  
+
+> [!NOTE]
+> You'll need to provide a _Resource ID_ with the Content Moderator E0 pricing tier.
+
+
+## Next steps
+
+* [Content Moderator Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk)
+* [Learn more about Azure Key Vault](https://docs.microsoft.com/azure/key-vault/key-vault-overview)
@@ -134,3 +134,5 @@
     href: https://azure.microsoft.com/global-infrastructure/services/?products=cognitive-services
   - name: Compliance
     href: https://azure.microsoft.com/support/legal/cognitive-services-compliance-and-privacy/
+  - name: Encryption
+    href: content-moderator-encryption-of-data-at-rest.md
@@ -0,0 +1,107 @@
+---
+title: Use the Azure portal to configure customer-managed keys
+titleSuffix: Cognitive Services
+description: Learn how to use the Azure portal to configure customer-managed keys with Azure Key Vault. Customer-managed keys enable you to create, rotate, disable, and revoke access controls.
+services: cognitive-services
+author: erindormier
+
+ms.service: cognitive-services
+ms.topic: include
+ms.date: 03/11/2020
+ms.author: egeaney
+---
+
+# Configure customer-managed keys with Azure Key Vault by using the Azure portal
+
+You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Cognitive Services resource and the key vault must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](https://docs.microsoft.com/azure/key-vault/key-vault-overview).
+
+This article shows how to configure an Azure Key Vault with customer-managed keys using the [Azure portal](https://portal.azure.com/). To learn how to create a key vault using the Azure portal, see [Quickstart: Set and retrieve a secret from Azure Key Vault using the Azure portal](../../key-vault/quick-create-portal.md).
+
+## Configure Azure Key Vault
+
+Using customer-managed keys requires that two properties be set on the key vault, **Soft Delete** and **Do Not Purge**. These properties are not enabled by default, but can be enabled using either PowerShell or Azure CLI on a new or existing key vault.
+
+> [!IMPORTANT]
+> If you do not have the **Soft Delete** and **Do Not Purge** properties enabled and you delete your key, you won't be able to recover the data in your Cognitive Service resource.
+
+To learn how to enable these properties on an existing key vault, see the sections titled **Enabling soft-delete** and **Enabling Purge Protection** in one of the following articles:
+
+- [How to use soft-delete with PowerShell](https://docs.microsoft.com/azure/key-vault/key-vault-soft-delete-powershell).
+- [How to use soft-delete with CLI](https://docs.microsoft.com/azure/key-vault/key-vault-soft-delete-cli).
+
+Only RSA keys of size 2048 are supported with Azure Storage encryption. For more information about keys, see **Key Vault keys** in [About Azure Key Vault keys, secrets and certificates](https://docs.microsoft.com/azure/key-vault/about-keys-secrets-and-certificates#key-vault-keys).
+
+## Enable customer-managed keys
+
+To enable customer-managed keys in the Azure portal, follow these steps:
+
+1. Navigate to your Cognitive Services resource.
+1. On the **Settings** blade for your Cognitive Services resource, click **Encryption**. Select the **Customer Managed Keys** option, as shown in the following figure.
+
+    ![Screenshot showing how to select Customer Managed Keys](../media/cognitive-services-encryption/selectcmk.png)
+
+## Specify a key
+
+After you enable customer-managed keys, you'll have the opportunity to specify a key to associate with the Cognitive Services resource.
+
+### Specify a key as a URI
+
+To specify a key as a URI, follow these steps:
+
+1. To locate the key URI in the Azure portal, navigate to your key vault, and select the **Keys** setting. Select the desired key, then click the key to view its versions. Select a key version to view the settings for that version.
+1. Copy the value of the **Key Identifier** field, which provides the URI.
+
+    ![Screenshot showing key vault key URI](../media/cognitive-services-encryption/key-uri-portal.png)
+
+1. In the **Encryption** settings for your storage account, choose the **Enter key URI** option.
+1. Paste the URI that you copied into the **Key URI** field.
+
+   ![Screenshot showing how to enter key URI](../media/cognitive-services-encryption/ssecmk2.png)
+
+1. Specify the subscription that contains the key vault.
+1. Save your changes.
+
+### Specify a key from a key vault
+
+To specify a key from a key vault, first make sure that you have a key vault that contains a key. To specify a key from a key vault, follow these steps:
+
+1. Choose the **Select from Key Vault** option.
+1. Select the key vault containing the key you want to use.
+1. Select the key from the key vault.
+
+   ![Screenshot showing customer-managed key option](../media/cognitive-services-encryption/ssecmk3.png)
+
+1. Save your changes.
+
+## Update the key version
+
+When you create a new version of a key, update the Cognitive Services resource to use the new version. Follow these steps:
+
+1. Navigate to your Cognitive Services resource and display the **Encryption** settings.
+1. Enter the URI for the new key version. Alternately, you can select the key vault and the key again to update the version.
+1. Save your changes.
+
+## Use a different key
+
+To change the key used for encryption, follow these steps:
+
+1. Navigate to your Cognitive Services resource and display the **Encryption** settings.
+1. Enter the URI for the new key. Alternately, you can select the key vault and choose a new key.
+1. Save your changes.
+
+## Disable customer-managed keys
+
+When you disable customer-managed keys, your Cognitive Services resource is then encrypted with Microsoft-managed keys. To disable customer-managed keys, follow these steps:
+
+1. Navigate to your Cognitive Services resource and display the **Encryption** settings.
+1. Deselect the checkbox next to the **Use your own key** setting.
+
+## Next steps
+
+* [What is Azure Key Vault](https://docs.microsoft.com/azure/key-vault/key-vault-overview)?
+* [Cognitive Services Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk)
+* [Face Services encryption of data at rest](../Face/face-encryption-of-data-at-rest.md)
+* [QnA Maker encryption of data at rest](../QnAMaker/qna-maker-encryption-of-data-at-rest.md)
+* [Language Understanding service encryption of data at rest](../LUIS/luis-encryption-of-data-at-rest.md)
+* [Content Moderator encryption of data at rest](../Content-Moderator/content-moderator-encryption-of-data-at-rest.md)
+* [Translator encryption of data at rest](../translator/translator-encryption-of-data-at-rest.md)
@@ -0,0 +1,34 @@
+---
+title: Face service encryption of data at rest
+titleSuffix: Azure Cognitive Services
+description: Face service encryption of data at rest.
+author: erindormier
+manager: venkyv
+
+ms.service: cognitive-services
+ms.subservice: face-api
+ms.topic: conceptual
+ms.date: 03/11/2020
+ms.author: egeaney
+#Customer intent: As a user of the Face service, I want to learn how encryption at rest works.
+---
+
+# Face service encryption of data at rest
+
+The Face service automatically encrypts your data when persisted it to the cloud. The Face service encryption protects your data and to help you to meet your organizational security and compliance commitments.
+
+[!INCLUDE [cognitive-services-about-encryption](../../../includes/cognitive-services-about-encryption.md)]
+
+> [!IMPORTANT]
+> Customer-managed keys are only available on the E0 pricing tier. To request the ability to use customer-managed keys, fill out and submit the [Face Service Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk). It will take approximately 3-5 business days to hear back on the status of your request. Depending on demand, you may be placed in a queue and approved as space becomes available. Once approved for using CMK with the Face service, you will need to create a new Face resource and select E0 as the Pricing Tier. Once your Face resource with the E0 pricing tier is created, you can use Azure Key Vault to set up your managed identity.
+
+[!INCLUDE [cognitive-services-cmk](../../../includes/cognitive-services-cmk-regions.md)]
+
+[!INCLUDE [cognitive-services-cmk](../../../includes/cognitive-services-cmk.md)]
+
+## Next steps
+
+* [Face Service Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk)
+* [Learn more about Azure Key Vault](https://docs.microsoft.com/azure/key-vault/key-vault-overview)
+
+
@@ -114,6 +114,8 @@
   - name: Regional availability
     href: https://azure.microsoft.com/global-infrastructure/services/?products=cognitive-services
   - name: Compliance
-    href: https://azure.microsoft.com/support/legal/cognitive-services-compliance-and-privacy/
+    href: https://azure.microsoft.com/support/legal/cognitive-services-compliance-and-privacy/    
+  - name: Encryption
+    href: face-encryption-of-data-at-rest.md
   - name: Release notes
     href: ReleaseNotes.md
@@ -0,0 +1,92 @@
+---
+title: Language Understanding service encryption of data at rest
+titleSuffix: Azure Cognitive Services
+description: Language Understanding service encryption of data at rest.
+author: erindormier
+manager: venkyv
+
+ms.service: cognitive-services
+ms.subservice: language-understanding
+ms.topic: conceptual
+ms.date: 03/13/2020
+ms.author: egeaney
+#Customer intent: As a user of the Language Understanding (LUIS) service, I want to learn how encryption at rest works.
+---
+
+# Language Understanding service encryption of data at rest
+
+The Language Understanding service automatically encrypts your data when it is persisted to the cloud. The Language Understanding service encryption protects your data and helps you meet your organizational security and compliance commitments.
+
+## About Cognitive Services encryption
+
+Data is encrypted and decrypted using [FIPS 140-2](https://en.wikipedia.org/wiki/FIPS_140-2) compliant [256-bit AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) encryption. Encryption and decryption are transparent, meaning encryption and access are managed for you. Your data is secure by default and you don’t need to modify your code or applications to take advantage of encryption.
+
+## About encryption key management
+
+By default, your subscription uses Microsoft-managed encryption keys. There is also an option to manage your subscription with your own keys. Customer-managed keys (CMK), offer greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data.
+
+## Customer-managed keys with Azure Key Vault
+
+There is also an option to manage your subscription with your own keys. Customer-managed keys (CMK), also known as Bring your own key (BYOK), offer greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data.
+
+You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Cognitive Services resource and the key vault must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](https://docs.microsoft.com/azure/key-vault/key-vault-overview).
+
+### Customer-managed keys for Language Understanding
+
+To request the ability to use customer-managed keys, fill out and submit the [LUIS Service Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk). It will take approximately 3-5 business days to hear back on the status of your request. Depending on demand, you may be placed in a queue and approved as space becomes available. Once approved for using CMK with LUIS, you'll need to create a new Language Understanding resource from the Azure portal and select E0 as the Pricing Tier. The new SKU will function the same as the F0 SKU that is already available except for CMK. Users won’t be able to upgrade from the F0 to the new E0 SKU.
+
+E0 resources are only available for Authoring service and that the E0 tier will initially only be supported in West US Region.
+
+![LUIS subscription image](../media/cognitive-services-encryption/luis-subscription.png)
+
+### Regional availability
+
+Customer-managed keys are currently available in the **West US** region.
+
+### Limitations
+
+There are some limitations when using the E0 tier with existing/previously created applications:
+
+* Migration to an E0 resource will be blocked. Users will only be able to migrate their apps to F0 resources. After you've migrated an existing resource to F0, you can create a new resource in the E0 tier. Learn more about [migration here](https://docs.microsoft.com/azure/cognitive-services/luis/luis-migration-authoring).  
+* Moving applications to or from an E0 resource will be blocked. A work around for this limitation is to export your existing application, and import it as an E0 resource.
+* The Bing Spell check feature isn't supported.
+* Logging end-user traffic is disabled if your application is E0.
+* The Speech priming capability from the Azure Bot service isn't supported for applications in the E0 tier. This feature is available via the Azure Bot Service, which doesn't support CMK.
+* The speech priming capability from the portal requires Azure Blob Storage. For more information, see [bring your own storage](../Speech-Service/speech-encryption-of-data-at-rest.md#bring-your-own-storage-byos-for-customization-and-logging).
+
+### Enable customer-managed keys
+
+A new Cognitive Services resource is always encrypted using Microsoft-managed keys. It's not possible to enable customer-managed keys at the time that the resource is created. Customer-managed keys are stored in Azure Key Vault, and the key vault must be provisioned with access policies that grant key permissions to the managed identity that is associated with the Cognitive Services resource. The managed identity is available only after the resource is created using the Pricing Tier for CMK.
+
+To learn how to use customer-managed keys with Azure Key Vault for Cognitive Services encryption, see:
+
+- [Configure customer-managed keys with Key Vault for Cognitive Services encryption from the Azure portal](../Encryption/cognitive-services-encryption-keys-portal.md)
+
+Enabling customer managed keys will also enable a system assigned managed identity, a feature of Azure AD. Once the system assigned managed identity is enabled, this resource will be registered with Azure Active Directory. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup. You can learn more about [Managed Identities](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview).
+
+> [!IMPORTANT]
+> If you disable system assigned managed identities, access to the key vault will be removed and any data encrypted with the customer keys will no longer be accessible. Any features depended on this data will stop working.
+
+> [!IMPORTANT]
+> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Azure AD directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Azure AD directories** in [FAQs and known issues with managed identities for Azure resources](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/known-issues#transferring-a-subscription-between-azure-ad-directories).  
+
+### Store customer-managed keys in Azure Key Vault
+
+To enable customer-managed keys, you must use an Azure Key Vault to store your keys. You must enable both the **Soft Delete** and **Do Not Purge** properties on the key vault.
+
+Only RSA keys of size 2048 are supported with Cognitive Services encryption. For more information about keys, see **Key Vault keys** in [About Azure Key Vault keys, secrets and certificates](https://docs.microsoft.com/azure/key-vault/about-keys-secrets-and-certificates#key-vault-keys).
+
+### Rotate customer-managed keys
+
+You can rotate a customer-managed key in Azure Key Vault according to your compliance policies. When the key is rotated, you must update the Cognitive Services resource to use the new key URI. To learn how to update the resource to use a new version of the key in the Azure portal, see the section titled **Update the key version** in [Configure customer-managed keys for Cognitive Services by using the Azure portal](../Encryption/cognitive-services-encryption-keys-portal.md).
+
+Rotating the key does not trigger re-encryption of data in the resource. There is no further action required from the user.
+
+### Revoke access to customer-managed keys
+
+To revoke access to customer-managed keys, use PowerShell or Azure CLI. For more information, see [Azure Key Vault PowerShell](https://docs.microsoft.com/powershell/module/az.keyvault//) or [Azure Key Vault CLI](https://docs.microsoft.com/cli/azure/keyvault). Revoking access effectively blocks access to all data in the Cognitive Services resource, as the encryption key is inaccessible by Cognitive Services.
+
+## Next steps
+
+* [LUIS Service Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk)
+* [Learn more about Azure Key Vault](https://docs.microsoft.com/azure/key-vault/key-vault-overview)
@@ -410,6 +410,8 @@
     href: https://azure.microsoft.com/pricing/details/cognitive-services/language-understanding-intelligent-services/
   - name: Compliance
     href: https://azure.microsoft.com/support/legal/cognitive-services-compliance-and-privacy/
+  - name: Encryption
+    href: luis-encryption-of-data-at-rest.md
   - name: Stack Overflow
     href: https://stackoverflow.com/questions/tagged/LUIS
   - name: UserVoice