Merge pull request #210103 from jackrichins/patch-43

Add disk storage encryption

Author: prmerger-automator[bot]

articles/key-vault/general/overview-vnet-service-endpoints.md

@@ -4,7 +4,7 @@ description: Learn how virtual network service endpoints for Azure Key Vault all
 services: key-vault
 author: msmbaldwin
 ms.author: mbaldwin
-ms.date: 01/02/2019
+ms.date: 09/06/2022
 ms.service: key-vault
 ms.subservice: general
 ms.topic: conceptual
@@ -46,6 +46,7 @@ Here's a list of trusted services that are allowed to access a key vault if the
 | Azure Database for PostgreSQL Single server | [Data encryption for Azure Database for PostgreSQL Single server](../../postgresql/howto-data-encryption-cli.md) |
 | Azure Databricks|[Fast, easy, and collaborative Apache Spark–based analytics service](/azure/databricks/scenarios/what-is-azure-databricks)|
 | Azure Disk Encryption volume encryption service|Allow access to BitLocker Key (Windows VM) or DM Passphrase (Linux VM), and Key Encryption Key, during virtual machine deployment. This enables [Azure Disk Encryption](../../security/fundamentals/encryption-overview.md).|
+| Azure Disk Storage | When configured with a Disk Encryption Set (DES). For more information, see [Server-side encryption of Azure Disk Storage using customer-managed keys](../../virtual-machines/disk-encryption.md#customer-managed-keys).|
 | Azure Event Hubs|[Allow access to a key vault for customer-managed keys scenario](../../event-hubs/configure-customer-managed-key.md)|
 | Azure Front Door Classic|[Using Key Vault certificates for HTTPS](../../frontdoor/front-door-custom-domain-https.md#prepare-your-key-vault-and-certificate)
 | Azure Front Door Standard/Premium|[Using Key Vault certificates for HTTPS](../../frontdoor/standard-premium/how-to-configure-https-custom-domain.md#prepare-your-key-vault-and-certificate)

articles/virtual-machines/disk-encryption-overview.md

@@ -2,7 +2,7 @@
 title: Overview of managed disk encryption options
 description: Overview of managed disk encryption options
 author: msmbaldwin
-ms.date: 08/12/2022
+ms.date: 09/06/2022
 ms.topic: conceptual
 ms.author: mbaldwin
 ms.service: virtual-machines
@@ -16,7 +16,7 @@ There are several types of encryption available for your managed disks, includin
 
 - **Azure Disk Encryption** helps protect and safeguard your data to meet your organizational security and compliance commitments. ADE encrypts the OS and data disks of Azure virtual machines (VMs) inside your VMs by using the [DM-Crypt](https://wikipedia.org/wiki/Dm-crypt) feature of Linux or the [BitLocker](https://wikipedia.org/wiki/BitLocker) feature of Windows. ADE is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.  For full details, see [Azure Disk Encryption for Linux VMs](./linux/disk-encryption-overview.md) or [Azure Disk Encryption for Windows VMs](./windows/disk-encryption-overview.md).
 
-- **Server-Side Encryption** (also referred to as encryption-at-rest or Azure Storage encryption) automatically encrypts data stored on Azure managed disks (OS and data disks) when persisting on the Storage Clusters.  For full details, see [Server-side encryption of Azure Disk Storage](./disk-encryption.md).
+- **Azure Disk Storage Server-Side Encryption** (also referred to as encryption-at-rest or Azure Storage encryption) automatically encrypts data stored on Azure managed disks (OS and data disks) when persisting on the Storage Clusters. When configured with a Disk Encryption Set (DES), it supports customer-managed keys as well. For full details, see [Server-side encryption of Azure Disk Storage](./disk-encryption.md).
 
 - **Encryption at host** ensures that data stored on the VM host hosting your VM is encrypted at rest and flows encrypted to the Storage clusters. For full details, see [Encryption at host - End-to-end encryption for your VM data](./disk-encryption.md#encryption-at-host---end-to-end-encryption-for-your-vm-data).
 
@@ -26,12 +26,11 @@ Encryption is part of a layered approach to security and should be used with oth
 
 ## Comparison
 
-Here's a comparison of SSE, ADE, encryption at host, and Confidential disk encryption.
+Here's a comparison of Disk Storage SSE, ADE, encryption at host, and Confidential disk encryption.
 
 | | Encryption at rest (OS and data disks) | Temp disk encryption | Encryption of caches | Data flows encrypted between Compute and Storage | Customer control of keys | Does not use your VM's CPU | Works for custom images | Enhanced Key Protection | Microsoft Defender for Cloud disk encryption status |
 |--|--|--|--|--|--|--|--|--|--|
-| **Encryption at rest with platform-managed key (SSE+PMK)** | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | Unhealthy, not applicable if exempt |
-| **Encryption at rest with customer-managed key (SSE+CMK)** | ✅ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | Unhealthy, not applicable if exempt |
+| **Azure Disk Storage Server-Side Encryption at rest** | ✅ | ❌ | ❌ | ❌ | ✅ When configured with DES | ✅ | ✅ | ❌ | Unhealthy, not applicable if exempt |
 | **Azure Disk Encryption** | ✅ | ✅ | ✅ | ✅ | ✅ |❌ | ❌ Does not work for custom Linux images | ❌ | Healthy |
 | **Encryption at Host**  | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | Unhealthy, not applicable if exempt |
 | **Confidential disk encryption** | ✅ For the OS disk only | ❌ | ✅ For the OS disk only | ✅ For the OS disk only| ✅ For the OS disk only |❌ | ✅ | ✅ | Unhealthy, not applicable if exempt |