Merge pull request #257604 from MicrosoftDocs/release-esan-preview-two

Merging release branch to main for release

Author: huypub

articles/storage/elastic-san/TOC.yml

@@ -22,6 +22,8 @@ items:
     href: elastic-san-performance.md
   - name: Clustered applications
     href: elastic-san-shared-volumes.md
+  - name: Encryption
+    href: elastic-san-encryption-overview.md
 - name: How to
   items:
   - name: Deploy an Elastic SAN
@@ -38,6 +40,12 @@ items:
     href: elastic-san-expand.md
   - name: Delete an Elastic SAN
     href: elastic-san-delete.md
+  - name: Manage Encryption
+    items:
+    - name: Configure customer-managed keys with Key Vault
+      href: elastic-san-configure-customer-managed-keys.md
+    - name: Manage customer keys
+      href: elastic-san-encryption-manage-customer-keys.md
 - name: Samples
   items:
   - name: Create elastic SAN volumes in a batch

articles/storage/elastic-san/elastic-san-configure-customer-managed-keys.md

@@ -31,7 +31,7 @@ The iSCSI CSI driver for Kubernetes is [licensed under the Apache 2.0 license](h
 - Use either the [latest Azure CLI](/cli/azure/install-azure-cli) or install the [latest Azure PowerShell module](/powershell/azure/install-azure-powershell)
 - Meet the [compatibility requirements](https://github.com/kubernetes-csi/csi-driver-iscsi/blob/master/README.md#container-images--kubernetes-compatibility) for the iSCSI CSI driver
 - [Deploy an Elastic SAN Preview](elastic-san-create.md)
-- [Configure a virtual network endpoint](elastic-san-networking.md#configure-a-virtual-network-endpoint)
+- [Configure a virtual network endpoint](elastic-san-networking.md)
 - [Configure virtual network rules](elastic-san-networking.md#configure-virtual-network-rules)
 
 ## Limitations
@@ -57,13 +57,13 @@ kubectl -n kube-system get pod -o wide -l app=csi-iscsi-node
 
 You need the volume's StorageTargetIQN, StorageTargetPortalHostName, and StorageTargetPortalPort.
 
-You may get them with the following Azure PowerShell command:
+You can get them with the following Azure PowerShell command:
 
 ```azurepowershell
 Get-AzElasticSanVolume -ResourceGroupName $resourceGroupName -ElasticSanName $sanName -VolumeGroupName $searchedVolumeGroup -Name $searchedVolume 
 ```
 
-You may also get them with the following Azure CLI command:
+You can also get them with the following Azure CLI command:
 
 ```azurecli
 az elastic-san volume show --elastic-san-name --name --resource-group --volume-group-name

articles/storage/elastic-san/elastic-san-connect-aks.md

@@ -19,7 +19,7 @@ In this article, you'll add the Storage service endpoint to an Azure virtual net
 
 - Use either the [latest Azure CLI](/cli/azure/install-azure-cli) or install the [latest Azure PowerShell module](/powershell/azure/install-azure-powershell)
 - [Deploy an Elastic SAN Preview](elastic-san-create.md)
-- [Configure a virtual network endpoint](elastic-san-networking.md#configure-a-virtual-network-endpoint)
+- [Configure a virtual network endpoint](elastic-san-networking.md)
 - [Configure virtual network rules](elastic-san-networking.md#configure-virtual-network-rules)
 
 ## Limitations

articles/storage/elastic-san/elastic-san-connect-linux.md

@@ -19,7 +19,7 @@ In this article, you add the Storage service endpoint to an Azure virtual networ
 
 - Use either the [latest Azure CLI](/cli/azure/install-azure-cli) or install the [latest Azure PowerShell module](/powershell/azure/install-azure-powershell)
 - [Deploy an Elastic SAN Preview](elastic-san-create.md)
-- [Configure a virtual network endpoint](elastic-san-networking.md#configure-a-virtual-network-endpoint)
+- [Configure a virtual network endpoint](elastic-san-networking.md)
 - [Configure virtual network rules](elastic-san-networking.md#configure-virtual-network-rules)
 
 ## Limitations

articles/storage/elastic-san/elastic-san-connect-windows.md

@@ -17,7 +17,7 @@ This article explains how to deploy and configure an elastic storage area networ
 
 - If you're using Azure PowerShell, install the [latest Azure PowerShell module](/powershell/azure/install-azure-powershell).
 - If you're using Azure CLI, install the [latest version](/cli/azure/install-azure-cli).
-    - Once you've installed the latest version, run `az extension add -n elastic-san` to install the extension for Elastic SAN.
+- Once you've installed the latest version, run `az extension add -n elastic-san` to install the extension for Elastic SAN.
 There are no additional registration steps required.
 
 ## Limitations
@@ -44,7 +44,7 @@ There are no additional registration steps required.
 
 # [PowerShell](#tab/azure-powershell)
 
-Use one of these sets of sample code to create an Elastic SAN that uses locally redundant storage or zone-redundant storage. Replace all placeholder text with your own values and use the same variables in of all the examples in this article:
+Use one of these sets of sample code to create an Elastic SAN that uses locally redundant storage or zone-redundant storage. Replace all placeholder text with your own values and use the same variables in all of the examples in this article:
 
 | Placeholder                      | Description |
 |----------------------------------|-------------|
@@ -89,7 +89,7 @@ New-AzElasticSAN -ResourceGroupName $RgName -Name $EsanName -Location $Location
 
 # [Azure CLI](#tab/azure-cli)
 
-Use one of these sets of sample code to create an Elastic SAN that uses locally redundant storage or zone-redundant storage. Replace all placeholder text with your own values and use the same variables in of all the examples in this article:
+Use one of these sets of sample code to create an Elastic SAN that uses locally redundant storage or zone-redundant storage. Replace all placeholder text with your own values and use the same variables in all of the examples in this article:
 
 | Placeholder                      | Description |
 |----------------------------------|-------------|
@@ -205,4 +205,4 @@ az elastic-san volume create --elastic-san-name $EsanName -g $RgName -v $EsanVgN
 
 ## Next steps
 
-Now that you've deployed an Elastic SAN, Connect to Elastic SAN (preview) volumes from either [Windows](elastic-san-connect-windows.md) or [Linux](elastic-san-connect-linux.md) clients.
+Now that you've deployed an Elastic SAN, Connect to Elastic SAN (preview) volumes from either [Windows](elastic-san-connect-windows.md) or [Linux](elastic-san-connect-linux.md) clients.

articles/storage/elastic-san/elastic-san-create.md

@@ -62,21 +62,21 @@ iscsiadm --mode node --target **yourStorageTargetIQN** --portal **yourStorageTar
 
 ## Delete a SAN
 
-When your SAN has no active connections to any clients, you may delete it using the Azure portal or Azure PowerShell module. If you delete a SAN or a volume group, the corresponding child resources will be deleted along with it. The delete commands for each of the resource levels are below.
+You can delete your SAN by using the Azure portal, Azure PowerShell, or Azure CLI. If you delete a SAN or a volume group, the corresponding child resources will be deleted along with it. The delete commands for each of the resource levels are below.
 
 
-To delete volumes, run the following commands.
+The following commands delete your volumes. These commands use `ForceDelete false`, `-DeleteSnapshot false`, `--x-ms-force-delete false`, and `--x-ms-delete-snapshots false` parameters for PowerShell and CLI, respectively. If you set `ForceDelete` or `--x-ms-force-delete` to `true`, it'll cause volume deletion to succeed even if you've active iSCSI connections. If you set `-DeleteSnapshot` or `--x-ms-delete-snapshots` to `true`, it'll delete all snapshots associated with the volume, as well as the volume itself.
 
 # [PowerShell](#tab/azure-powershell)
 
 ```azurepowershell
-Remove-AzElasticSanVolume -ResourceGroupName $resourceGroupName -ElasticSanName $sanName -VolumeGroupName $volumeGroupName -Name $volumeName
+Remove-AzElasticSanVolume -ResourceGroupName $resourceGroupName -ElasticSanName $sanName -VolumeGroupName $volumeGroupName -Name $volumeName -ForceDelete false -DeleteSnapshot false
 ```
 
 # [Azure CLI](#tab/azure-cli)
 
 ```azurecli
-az elastic-san volume delete -e $sanName -g $resourceGroupName -v $volumeGroupName -n $volumeName
+az elastic-san volume delete -e $sanName -g $resourceGroupName -v $volumeGroupName -n $volumeName --x-ms-force-delete false --x-ms-delete-snapshots false
 ```
 ---
 

articles/storage/elastic-san/elastic-san-delete.md

@@ -0,0 +1,108 @@
+---
+title: Learn how to manage keys for Elastic SAN Preview
+titleSuffix: Azure Elastic SAN Storage
+description: Learn how to manage keys for Elastic SAN Preview
+author: roygara
+
+ms.service: azure-elastic-san-storage
+ms.topic: how-to
+ms.date: 11/06/2023
+ms.author: rogarana
+ms.reviewer: jaylansdaal
+---
+
+# Learn how to manage keys for Elastic SAN Preview
+
+All data written to an Elastic SAN volume is automatically encrypted-at-rest with a data encryption key (DEK). Azure DEKs are always *platform-managed* (managed by Microsoft). Azure uses [envelope encryption](../../security/fundamentals/encryption-atrest.md#envelope-encryption-with-a-key-hierarchy), also referred to as wrapping, which involves using a Key Encryption Key (KEK) to encrypt the DEK. By default, the KEK is platform-managed, but you can create and manage your own KEK. [Customer-managed keys](elastic-san-encryption-overview.md#customer-managed-keys) offer greater flexibility to manage access controls and can help you meet your organization security and compliance requirements.
+
+You control all aspects of your key encryption keys, including:
+
+- Which key is used
+- Where your keys are stored
+- How the keys are rotated
+- The ability to switch between customer-managed and platform-managed keys
+
+This article tells you how to manage your customer-managed KEKs.
+
+> [!NOTE]
+> Envelope encryption allows you to change your key configuration without impacting your Elastic SAN volumes. When you make a change, the Elastic SAN service re-encrypts the data encryption keys with the new keys. The protection of the data encryption key changes, but the data in your Elastic SAN volumes remain encrypted at all times. There is no additional action required on your part to ensure that your data is protected. Changing the key configuration doesn't impact performance, and there is no downtime associated with such a change.
+
+## Limitations
+
+[!INCLUDE [elastic-san-regions](../../../includes/elastic-san-regions.md)]
+
+## Change the key
+
+You can change the key that you're using for Azure Elastic SAN encryption at any time.
+
+To change the key with PowerShell, call [Update-AzElasticSanVolumeGroup](/powershell/module/az.elasticsan/update-azelasticsanvolumegroup) and provide the new key name and version. If the new key is in a different key vault, then you must also update the key vault URI.
+
+
+If the new key is in a different key vault, you must [grant the managed identity access to the key in the new vault](elastic-san-configure-customer-managed-keys.md#choose-a-managed-identity-to-authorize-access-to-the-key-vault). If you opt for manual updating of the key version, you'll also need to [update the key vault URI](elastic-san-configure-customer-managed-keys.md#manual-key-version-rotation).
+
+## Update the key version
+
+Following cryptographic best practices means to rotate the key that is protecting your Elastic SAN volume group on a regular schedule, typically at least every two years. Azure Elastic SAN never modifies the key in the key vault, but you can configure a key rotation policy to rotate the key according to your compliance requirements. For more information, see [Configure cryptographic key auto-rotation in Azure Key Vault](../../key-vault/keys/how-to-configure-key-rotation.md).
+
+After the key is rotated in the key vault, the customer-managed KEK configuration for your Elastic SAN volume group must be updated to use the new key version. Customer-managed keys support both automatic and manual updating of the KEK version. You can decide which approach you want to use when you initially configure customer-managed keys, or when you update your configuration.
+
+When you modify the key or the key version, the protection of the root encryption key changes, but the data in your Azure Elastic SAN volume group remains encrypted at all times. There's no extra action required on your part to ensure that your data is protected. Rotating the key version doesn't impact performance, and there's no downtime associated with rotating the key version.
+
+> [!IMPORTANT]
+> To rotate a key, create a new version of the key in the key vault, according to your compliance requirements. Azure Elastic SAN does not handle key rotation, so you will need to manage rotation of the key in the key vault.
+>
+> When you rotate the key used for customer-managed keys, that action is not currently logged to the Azure Monitor logs for Azure Elastic SAN.
+
+### Automatically update the key version
+
+To automatically update a customer-managed key when a new version is available, omit the key version when you enable encryption with customer-managed keys for the Elastic SAN volume group. If the key version is omitted, then Azure Elastic SAN checks the key vault daily for a new version of a customer-managed key. If a new key version is available, then Azure Elastic SAN automatically uses the latest version of the key.
+
+Azure Elastic SAN checks the key vault for a new key version only once daily. When you rotate a key, be sure to wait 24 hours before disabling the older version.
+
+If the Elastic SAN volume group was previously configured for manual updating of the key version and you want to change it to update automatically, you might need to explicitly change the key version to an empty string. For details on how to do this, see [Manual key version rotation](elastic-san-configure-customer-managed-keys.md#manual-key-version-rotation).
+
+### Manually update the key version
+
+To use a specific version of a key for Azure Elastic SAN encryption, specify that key version when you enable encryption with customer-managed keys for the Elastic SAN volume group. If you specify the key version, then Azure Elastic SAN uses that version for encryption until you manually update the key version.
+
+When the key version is explicitly specified, then you must manually update the Elastic SAN volume group to use the new key version URI when a new version is created. To learn how to update the Elastic SAN volume group to use a new version of the key, see [Configure encryption with customer-managed keys stored in Azure Key Vault](elastic-san-configure-customer-managed-keys.md).
+
+## Revoke access to a volume group that uses customer-managed keys
+
+To temporarily revoke access to an Elastic SAN volume group that is using customer-managed keys, disable the key currently being used in the key vault. There's no performance impact or downtime associated with disabling and reenabling the key.
+
+After the key has been disabled, clients can't call operations that read from or write to volumes in the volume group or their metadata.
+
+
+> [!CAUTION]
+> When you disable the key in the key vault, the data in your Azure Elastic SAN volume group remains encrypted, but it becomes inaccessible until you reenable the key.
+
+To revoke a customer-managed key with PowerShell, call the [Update-AzKeyVaultKey](/powershell/module/az.keyvault/update-azkeyvaultkey) command, as shown in the following example. Remember to replace the placeholder values in brackets with your own values to define the variables, or use the variables defined in the previous examples.
+
+```azurepowershell
+$KvName  = "<key-vault-name>"
+$KeyName = "<key-name>"
+$enabled = $false
+# $false to disable the key / $true to enable it
+
+# Check the current state of the key (before and after enabling/disabling it)
+Get-AzKeyVaultKey -Name $KeyName -VaultName $KvName
+
+# Disable (or enable) the key
+Update-AzKeyVaultKey -VaultName $KvName -Name $KeyName -Enable $enabled
+```
+
+## Switch back to platform-managed keys
+
+You can switch from customer-managed keys back to platform-managed keys at any time, using the Azure PowerShell module.
+
+To switch from customer-managed keys back to platform-managed keys with PowerShell, call [Update-AzElasticSanVolumeGroup](/powershell/module/az.elasticsan/update-azelasticsanvolumegroup) with the `-Encryption` option, as shown in the following example. Remember to replace the placeholder values with your own values and to use the variables defined in the previous examples.
+
+```azurepowershell
+Update-AzElasticSanVolumeGroup -ResourceGroupName "ResourceGroupName" -ElasticSanName "ElasticSanName" -Name "ElasticSanVolumeGroupName" -Encryption EncryptionAtRestWithPlatformKey 
+```
+
+
+## See also
+
+- [Configure customer-managed keys for an Elastic SAN volume group](elastic-san-configure-customer-managed-keys.md)