Merge pull request #212994 from vivgk/edits

cmkedits

Author: prmerger-automator[bot]

articles/mysql/flexible-server/concepts-customer-managed-key.md

@@ -16,17 +16,9 @@ ms.topic: conceptual
 
 With data encryption with customer-managed keys for Azure Database for MySQL - Flexible Server Preview, you can bring your own key (BYOK) for data protection at rest and implement separation of duties for managing keys and data. With customer managed keys (CMKs), the customer is responsible for and in a full control of key lifecycle management (key creation, upload, rotation, deletion), key usage permissions, and auditing operations on keys. 
 
-Data encryption with CMKs is set at the server level. For a given server, a CMK, called the key encryption key (KEK), is used to encrypt the data encryption key (DEK) used by the service. The KEK is an asymmetric key stored in a customer-owned and customer-managed [Azure Key Vault instance](../../key-vault/general/security-features.md). Key Vault is highly available and scalable secure storage for RSA cryptographic keys, optionally backed by FIPS 140-2 Level 2 validated hardware security modules (HSMs). Key Vault doesn't allow direct access to a stored key, but instead provides encryption/decryption services using the key to the authorized entities. The key can be generated by the key vault, imported, or  [transferred to the key vault from an on-premises HSM device](../../key-vault/keys/hsm-protected-keys.md).
-
 > [!Note]
 > In the Public Preview, we can't enable geo redundancy on a flexible server that has CMK enabled, nor can we enable geo redundancy on a flexible server that has CMK enabled. 
 
-## Terminology and description
-
-**Data encryption key (DEK)**: A symmetric AES256 key used to encrypt a partition or block of data. Encrypting each block of data with a different key makes crypto analysis attacks more difficult. Access to DEKs is needed by the resource provider or application instance that is encrypting and decrypting a specific block. When you replace a DEK with a new key, only the data in its associated block must be re-encrypted with the new key. 
-
-**Key encryption key (KEK)**: An encryption key used to encrypt the DEKs. A KEK that never leaves Key Vault allows the DEKs themselves to be encrypted and controlled. The entity that has access to the KEK might be different than the entity that requires the DEK. Since the KEK is required to decrypt the DEKs, the KEK is effectively a single point by which DEKs can be effectively deleted by deletion of the KEK. The DEKs, encrypted with the KEKs, are stored separately. Only an entity with access to the KEK can decrypt these DEKs. For more information, see [Security in encryption rest](../../security/fundamentals/encryption-atrest.md).
-
 ## Benefits
 
 Data encryption with customer-managed keys for Azure Database for MySQL Flexible server provides the following benefits: 
@@ -35,7 +27,7 @@ Data encryption with customer-managed keys for Azure Database for MySQL Flexible
 - Full control over the key-lifecycle, including rotation of the key to align with corporate policies 
 - Central management and organization of keys in Azure Key Vault 
 - Ability to implement separation of duties between security officers, and DBA and system administrators 
-
+- 
 ## How does data encryption with a customer-managed key work?
 
 Managed identities in Azure Active Directory (Azure AD) provide Azure services an alternative to storing credentials in the code by provisioning an automatically assigned identity that can be used to authenticate to any service supporting Azure AD authentication, such as Azure Key Vault (AKV). Azure Database for MySQL Flexible server currently supports only User-assigned Managed Identity (UMI). For more information, see [Managed identity types](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) in Azure.
@@ -49,6 +41,16 @@ The UMI must have the following access to the key vault:
 - **Wrap Key**: To be able to encrypt the DEK. The encrypted DEK is stored in the Azure Database for MySQL Flexible server. 
 - **Unwrap Key**: To be able to decrypt the DEK. Azure Database for MySQL Flexible server needs the decrypted DEK to encrypt/decrypt the data 
 
+### Terminology and description
+
+**Data encryption key (DEK)**: A symmetric AES256 key used to encrypt a partition or block of data. Encrypting each block of data with a different key makes crypto analysis attacks more difficult. Access to DEKs is needed by the resource provider or application instance that is encrypting and decrypting a specific block. When you replace a DEK with a new key, only the data in its associated block must be re-encrypted with the new key. 
+
+**Key encryption key (KEK)**: An encryption key used to encrypt the DEKs. A KEK that never leaves Key Vault allows the DEKs themselves to be encrypted and controlled. The entity that has access to the KEK might be different than the entity that requires the DEK. Since the KEK is required to decrypt the DEKs, the KEK is effectively a single point by which DEKs can be effectively deleted by deletion of the KEK. The DEKs, encrypted with the KEKs, are stored separately. Only an entity with access to the KEK can decrypt these DEKs. For more information, see [Security in encryption rest](../../security/fundamentals/encryption-atrest.md).
+
+### How it works
+
+Data encryption with CMKs is set at the server level. For a given server, a CMK, called the key encryption key (KEK), is used to encrypt the data encryption key (DEK) used by the service. The KEK is an asymmetric key stored in a customer-owned and customer-managed [Azure Key Vault instance](../../key-vault/general/security-features.md). Key Vault is highly available and scalable secure storage for RSA cryptographic keys, optionally backed by FIPS 140-2 Level 2 validated hardware security modules (HSMs). Key Vault doesn't allow direct access to a stored key, but instead provides encryption/decryption services using the key to the authorized entities. The key can be generated by the key vault, imported, or  [transferred to the key vault from an on-premises HSM device](../../key-vault/keys/hsm-protected-keys.md).
+
 When you configure a flexible server to use a CMK stored in the key vault, the server sends the DEK to the key vault for encryptions. Key Vault returns the encrypted DEK, which is stored in the user database. Similarly, when needed, the flexible server will send the protected DEK to the key vault for decryption.
 
 :::image type="content" source="media/concepts-customer-managed-key/mysql-customer-managed-key.jpg" alt-text="Diagram of how data encryption with a customer-managed key work.":::
@@ -58,7 +60,7 @@ After logging is enabled, auditors can use Azure Monitor to review Key Vault aud
 > [!Note]
 > Permission changes can take up to 10 minutes to impact the key vault. This includes revoking access permissions to the TDE protector in AKV, and users within this time frame may still have access permissions. 
 
-**Requirements for configuring data encryption for Azure Database for MySQL Flexible server**
+## Requirements for configuring data encryption for Azure Database for MySQL Flexible server
 
 Before you attempt to configure Key Vault, be sure to address the following requirements. 
 
@@ -126,8 +128,11 @@ To avoid issues while setting up customer-managed data encryption during restore
 - Initiate the restore or read replica creation process from the source Azure Database for MySQL Flexible server.
 - On the restored/replica server, revalidate the customer-managed key in the data encryption settings to ensure that the User managed identity is given _Get, List, Wrap key_ and _Unwrap key_ permissions to the key stored in Key Vault.
 
+> [!Note]
+> Using the same identity and key as on the source server is not mandatory when performing a restore.
+
 ## Next steps
 - [Data encryption with Azure CLI (Preview)](how-to-data-encryption-cli.md)
 - [Data encryption with Azure portal (Preview)](how-to-data-encryption-portal.md)
-- [Azure Key Vault instance](../../key-vault/general/security-features.md)
 - [Security in encryption rest](../../security/fundamentals/encryption-atrest.md)
+- [Active Directory authentication (Preview)](concepts-azure-ad-authentication.md)