Merge pull request #208733 from RunCai/main

prmerger-automator[bot] · web-flow · commit 318cb2b78618 · 2022-08-24T07:37:56.000Z
Align Confidential VM OS disk encryption name with Azure disk encryption terminology.
diff --git a/articles/confidential-computing/confidential-vm-overview.md b/articles/confidential-computing/confidential-vm-overview.md
@@ -22,24 +22,24 @@ Some of the benefits of confidential VMs include:
 
 - Robust hardware-based isolation between virtual machines, hypervisor, and host management code.
 - Customizable attestation policies to ensure the host's compliance before deployment.
-- Cloud-based full-disk encryption before the first boot.
+- Cloud-based Confidential OS disk encryption before the first boot.
 - VM encryption keys that the platform or the customer (optionally) owns and manages.
 - Secure key release with cryptographic binding between the platform's successful attestation and the VM's encryption keys.
 - Dedicated virtual [Trusted Platform Module (TPM)](/windows/security/information-protection/tpm/trusted-platform-module-overview) instance for attestation and protection of keys and secrets in the virtual machine.
 - Secure boot capability similar to [Trusted launch for Azure VMs](../virtual-machines/trusted-launch.md)
 
-## Full-disk encryption
+## Confidential OS disk encryption
 
 Azure confidential VMs offer a new and enhanced disk encryption scheme. This scheme protects all critical partitions of the disk. It also binds disk encryption keys to the virtual machine's TPM and makes the protected disk content accessible only to the VM. These encryption keys can securely bypass Azure components, including the hypervisor and host operating system. To minimize the attack potential, a dedicated and separate cloud service also encrypts the disk during the initial creation of the VM.
 
 If the compute platform is missing critical settings for your VM's isolation, then during boot [Azure Attestation](https://azure.microsoft.com/services/azure-attestation/) won't attest to the platform's health. It will prevent the VM from starting. For example, this scenario happens if you haven't enabled SEV-SNP. 
 
-Full-disk encryption is optional, because this process can lengthen the initial VM creation time. You can choose between:
+Confidential OS disk encryption is optional, because this process can lengthen the initial VM creation time. You can choose between:
 
- - A confidential VM with full OS disk encryption before VM deployment that uses platform-managed keys (PMK) or a customer-managed key (CMK).
- - A confidential VM without OS disk encryption before VM deployment.
+ - A confidential VM with Confidential OS disk encryption before VM deployment that uses platform-managed keys (PMK) or a customer-managed key (CMK).
+ - A confidential VM without Confidential OS disk encryption before VM deployment.
 
-For further integrity and protection, confidential VMs offer [Secure Boot](/windows-hardware/design/device-experiences/oem-secure-boot) by default. 
+For further integrity and protection, confidential VMs offer [Secure Boot](/windows-hardware/design/device-experiences/oem-secure-boot) by default when confidential OS disk encryption is selected. 
 With Secure Boot, trusted publishers must sign OS boot components (including the boot loader, kernel, and kernel drivers). All compatible confidential VM images support Secure Boot. 
 
 ### Encryption pricing differences
@@ -99,7 +99,7 @@ Confidential VMs *don't support*:
 - Azure Backup
 - Azure Site Recovery
 - Azure Dedicated Host 
-- Microsoft Azure Virtual Machine Scale Sets with full OS disk encryption enabled
+- Microsoft Azure Virtual Machine Scale Sets with Confidential OS disk encryption enabled
 - Limited Azure Compute Gallery support
 - Shared disks
 - Ultra disks
