Merge pull request #108364 from ThomasWeiss/thweiss-cosmosdb-cmk-intro

Changed CMK intro to explicit 2 encryption layers

Author: American-Dipper

articles/cosmos-db/how-to-setup-cmk.md

@@ -4,7 +4,7 @@ description: Learn how to configure customer-managed keys for your Azure Cosmos
 author: ThomasWeiss
 ms.service: cosmos-db
 ms.topic: conceptual
-ms.date: 03/12/2020
+ms.date: 03/19/2020
 ms.author: thweiss
 ROBOTS: noindex, nofollow
 ---
@@ -14,11 +14,9 @@ ROBOTS: noindex, nofollow
 > [!NOTE]
 > At this time, you must request access to use this capability. To do so, please contact [[email protected]](mailto:[email protected]).
 
-Data stored in your Azure Cosmos account is automatically and seamlessly encrypted. Azure Cosmos DB offers two options to manage the keys used to encrypt the data at rest:
+Data stored in your Azure Cosmos account is automatically and seamlessly encrypted with keys managed by Microsoft (**service-managed keys**). Optionally, you can choose to add a second layer of encryption with keys you manage (**customer-managed keys**).
 
-- **Service-managed keys**: By default, Microsoft manages the keys that are used to encrypt the data in your Azure Cosmos account.
-
-- **Customer-managed keys (CMK)**: You can optionally choose to add a second layer of encryption with your own keys.
+![Layers of encryption around customer data](./media/how-to-setup-cmk/cmk-intro.png)
 
 You must store customer-managed keys in [Azure Key Vault](../key-vault/key-vault-overview.md) and provide a key for each Azure Cosmos account that is enabled with customer-managed keys. This key is used to encrypt all the data stored in that account.