cmk portal

tamram · tamram · commit 32653f4d7eda · 2020-01-03T15:48:07.000-05:00
diff --git a/articles/storage/common/storage-encryption-keys-cli.md b/articles/storage/common/storage-encryption-keys-cli.md
@@ -42,7 +42,7 @@ For more information about configuring system-assigned managed identities with A
 
 ## Create a new key vault
 
-The key vault that you use to store customer-managed keys for Azure Storage encryption must have two key protection settings enabled, **Soft Delete** and **Do Not Purge**. To create a new key vault using PowerShell or Azure CLI with these settings enabled, execute the following commands. Remember to replace the placeholder values in brackets with your own values. 
+The key vault that you use to store customer-managed keys for Azure Storage encryption must have two key protection settings enabled, **Soft Delete** and **Do Not Purge**. To create a new key vault using PowerShell or Azure CLI with these settings enabled, execute the following commands. Remember to replace the placeholder values in brackets with your own values.
 
 To create a new key vault using Azure CLI, call [az keyvault create](/cli/azure/keyvault#az-keyvault-create). Remember to replace the placeholder values in brackets with your own values.
 
diff --git a/articles/storage/common/storage-encryption-keys-portal.md b/articles/storage/common/storage-encryption-keys-portal.md
@@ -7,7 +7,7 @@ author: tamram
 
 ms.service: storage
 ms.topic: how-to
-ms.date: 12/04/2019
+ms.date: 01/02/2020
 ms.author: tamram
 ms.reviewer: cbrooks
 ms.subservice: common
@@ -19,9 +19,18 @@ ms.subservice: common
 
 This article shows how to configure an Azure Key Vault with customer-managed keys using the [Azure portal](https://portal.azure.com/). To learn how to create a key vault using the Azure portal, see [Quickstart: Set and retrieve a secret from Azure Key Vault using the Azure portal](../../key-vault/quick-create-portal.md).
 
-> [!IMPORTANT]
-> Using customer-managed keys with Azure Storage encryption requires that two properties be set on the key vault, **Soft Delete** and **Do Not Purge**. These properties are not enabled by default. To enable these properties, use either PowerShell or Azure CLI.
-> Only RSA keys and key size 2048 are supported.
+## Configure your Azure Key Vault
+
+You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The storage account and the key vault must be in the same region, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../key-vault/key-vault-overview.md).
+
+Using customer-managed keys with Azure Storage encryption requires that two properties be set on the key vault, **Soft Delete** and **Do Not Purge**. These properties are not enabled by default, but can be enabled using either PowerShell or Azure CLI on a new or existing key vault.
+
+To learn how to enable these properties on an existing key vault with PowerShell, see the sections titled **Enabling soft-delete** and **Enabling Purge Protection** in one of the following articles:
+
+- [How to use soft-delete with PowerShell](../../key-vault/key-vault-soft-delete-powershell.md).
+- [How to use soft-delete with CLI](../../key-vault/key-vault-soft-delete-cli.md).
+
+Only RSA keys of size 2048 are supported with Azure Storage encryption. For more information about keys, see **Key Vault keys** in [About Azure Key Vault keys, secrets and certificates](../../key-vault/about-keys-secrets-and-certificates.md#key-vault-keys).
 
 ## Enable customer-managed keys
 
@@ -40,31 +49,53 @@ After you enable customer-managed keys, you'll have the opportunity to specify a
 
 To specify a key as a URI, follow these steps:
 
-1. To locate the key URI in the Azure portal, navigate to your key vault, and select the **Keys** setting. Select the desired key, then click the key to view its settings. Copy the value of the **Key Identifier** field, which provides the URI.
+1. To locate the key URI in the Azure portal, navigate to your key vault, and select the **Keys** setting. Select the desired key, then click the key to view its versions. Select a key version to view the settings for that version.
+1. Copy the value of the **Key Identifier** field, which provides the URI.
 
     ![Screenshot showing key vault key URI](media/storage-encryption-keys-portal/key-uri-portal.png)
 
 1. In the **Encryption** settings for your storage account, choose the **Enter key URI** option.
-1. In the **Key URI** field, specify the URI.
+1. Paste the URI that you copied into the **Key URI** field.
 
    ![Screenshot showing how to enter key URI](./media/storage-encryption-keys-portal/ssecmk2.png)
 
+1. Specify the subscription that contains the key vault.
+1. Save your changes.
+
 ### Specify a key from a key vault
 
 To specify a key from a key vault, first make sure that you have a key vault that contains a key. To specify a key from a key vault, follow these steps:
 
 1. Choose the **Select from Key Vault** option.
-2. Choose the key vault containing the key you want to use.
-3. Choose the key from the key vault.
+2. Select the key vault containing the key you want to use.
+3. Select the key from the key vault.
 
    ![Screenshot showing customer-managed key option](./media/storage-encryption-keys-portal/ssecmk3.png)
 
+1. Save your changes.
+
 ## Update the key version
 
-When you create a new version of a key, you'll need to update the storage account to use the new version. Follow these steps:
+When you create a new version of a key, update the storage account to use the new version. Follow these steps:
+
+1. Navigate to your storage account and display the **Encryption** settings.
+1. Enter the URI for the new key version. Alternately, you can select the key vault and the key again to update the version.
+1. Save your changes.
+
+## Use a different key
+
+To change the key used for Azure Storage encryption, follow these steps:
+
+1. Navigate to your storage account and display the **Encryption** settings.
+1. Enter the URI for the new key. Alternately, you can select the key vault and choose a new key.
+1. Save your changes.
+
+## Disable customer-managed keys
+
+When you disable customer-managed keys, your account is encrypted with Microsoft-managed keys. To disable customer-managed keys, follow these steps:
 
 1. Navigate to your storage account and display the **Encryption** settings.
-1. Specify the URI for the new key version. Alternately, you can select the key vault and the key again to update the version.
+1. Deselect the checkbox next to the **Use your own key** setting.
 
 ## Next steps
 
diff --git a/articles/storage/common/storage-encryption-keys-powershell.md b/articles/storage/common/storage-encryption-keys-powershell.md
@@ -21,6 +21,7 @@ This article shows how to configure an Azure Key Vault with customer-managed key
 
 > [!IMPORTANT]
 > Using customer-managed keys with Azure Storage encryption requires that two properties be set on the key vault, **Soft Delete** and **Do Not Purge**. These properties are not enabled by default. To enable these properties, use either PowerShell or Azure CLI.
+> 
 > Only RSA keys and key size 2048 are supported.
 
 ## Assign an identity to the storage account
