Merge pull request #281637 from tameikal-msft/tlaw-edits

Tlaw-edits

Author: prmerger-automator[bot]

articles/mysql/flexible-server/concepts-customer-managed-key.md

@@ -16,13 +16,16 @@ ms.topic: conceptual
 
 With data encryption with customer-managed keys for Azure Database for MySQL flexible server, you can bring your own key (BYOK) for data protection at rest and implement separation of duties for managing keys and data. With customer managed keys (CMKs), the customer is responsible for and ultimately controls the key lifecycle management (key creation, upload, rotation, deletion), key usage permissions, and auditing operations on keys.
 
+> [!NOTE]  
+> Azure Key Vault Managed HSM (Hardware Security Module) is currently supported for customer-managed keys for Azure Database for MySQL Flexible Server.
+
 ## Benefits
 
 Data encryption with customer-managed keys for Azure Database for MySQL flexible server provides the following benefits:
 
 - You fully control data access by the ability to remove the key and make the database inaccessible
 - Full control over the key lifecycle, including rotation of the key to aligning with corporate policies
-- Central management and organization of keys in Azure Key Vault
+- Central management and organization of keys in Azure Key Vault or Managed HSM
 - Ability to implement separation of duties between security officers, DBA, and system administrators
 
 ## How does data encryption with a customer-managed key work?
@@ -38,6 +41,15 @@ The UMI must have the following access to the key vault:
 - **Wrap Key**: To be able to encrypt the DEK. The encrypted DEK is stored in the Azure Database for MySQL flexible server instance.
 - **Unwrap Key**: To be able to decrypt the DEK. Azure Database for MySQL flexible server needs the decrypted DEK to encrypt/decrypt the data.
 
+If RBAC is enabled, the UMI must also be assigned the following role:
+
+- **Key Vault Crypto Service Encryption User** or the role with the permissions:
+    - Microsoft.KeyVault/vaults/keys/wrap/action
+	- Microsoft.KeyVault/vaults/keys/unwrap/action
+	- Microsoft.KeyVault/vaults/keys/read like "Key Vault Crypto Service Encryption User"
+- For Managed HSM, assign the **Managed HSM Crypto Service Encryption User** role 
+
+
 ### Terminology and description
 
 **Data encryption key (DEK)**: A symmetric AES256 key used to encrypt a partition or block of data. Encrypting each block of data with a different key makes crypto analysis attacks more difficult. Access to DEKs is needed by the resource provider or application instance that encrypts and decrypts a specific block. When you replace a DEK with a new key, only the data in its associated block must be re-encrypted with the new key.
@@ -59,7 +71,7 @@ After logging is enabled, auditors can use Azure Monitor to review Key Vault aud
 
 ## Requirements for configuring data encryption for Azure Database for MySQL flexible server
 
-Before you attempt to configure Key Vault, be sure to address the following requirements.
+Before you attempt to configure Key Vault or Managed HSM, be sure to address the following requirements.
 
 - The Key Vault and Azure Database for MySQL flexible server instance must belong to the same Microsoft Entra tenant. Cross-tenant Key Vault and flexible server interactions need to be supported. You'll need to reconfigure data encryption if you move Key Vault resources after performing the configuration.
 - The Key Vault and Azure Database for MySQL flexible server instance must reside in the same region.
@@ -80,16 +92,16 @@ Before you attempt to configure the CMK, be sure to address the following requir
 
 ## Recommendations for configuring data encryption
 
-As you configure Key Vault to use data encryption using a customer-managed key, keep in mind the following recommendations.
+As you configure Key Vault or Managed HSM to use data encryption using a customer-managed key, keep in mind the following recommendations.
 
 - Set a resource lock on Key Vault to control who can delete this critical resource and prevent accidental or unauthorized deletion.
 - Enable auditing and reporting on all encryption keys. Key Vault provides logs that are easy to inject into other security information and event management tools. Azure Monitor Log Analytics is one example of a service that's already integrated.
 - Keep a copy of the customer-managed key in a secure place or escrow it to the escrow service.
 - If Key Vault generates the key, create a key backup before using the key for the first time. You can only restore the backup to Key Vault. For more information about the backup command, see [Backup-AzKeyVaultKey](/powershell/module/az.keyVault/backup-azkeyVaultkey).
 
 > [!NOTE]
-> * It is advised to use a key vault from the same region, but if necessary, you can use a key vault from another region by specifying the "enter key identifier" information.
-> * RSA key stored in **Azure Key Vault Managed HSM**, is currently not supported.
+> * It is advised to use a key vault from the same region, but if necessary, you can use a key vault from another region by specifying the "enter key identifier" information. The key vault managed HSM must be in the same region as the MySQL flexible server.
+
 
 ## Inaccessible customer-managed key condition
 

articles/mysql/flexible-server/how-to-data-encryption-cli.md

@@ -48,7 +48,7 @@ az login
 az account set --subscription \<subscription id\>
 ```
 
-- In Azure Key Vault, create a key vault and a key. The key vault must have the following properties to use as a customer-managed key:
+- In Azure Key Vault, create a key vault or managed HSM and a key. The key vault or managed HSM must have the following properties to use as a customer-managed key:
 
 [Soft delete](../../key-vault/general/soft-delete-overview.md):
 

articles/mysql/flexible-server/overview.md

@@ -140,7 +140,10 @@ See [Server concepts](concept-servers.md) for more information.
 
 ## Enterprise grade security, compliance, and privacy
 
-Azure Database for MySQL flexible server uses the FIPS 140-2 validated cryptographic module to store data at rest. Data, including backups and temporary files created while running queries, are encrypted. The service uses the AES 256-bit cipher included in Azure storage encryption, and the keys can be system-managed (default).
+Azure Database for MySQL flexible server uses the FIPS 140-2 validated cryptographic module for storage encryption of data at-rest. Data, including backups, and temporary files created while running queries are encrypted. The service uses the AES 256-bit cipher included in Azure storage encryption, and the keys can be system managed (default). You can also use customer managed keys (CMKs) to bring your own key (BYOK) stored in an Azure Key Vault or Managed Hardware Security Module (HSM) for data encryption at rest.
+
+For more information, see [data encryption with customer managed keys for Azure Database for MySQL flexible server instances](concepts-customer-managed-key.md).
+
 
 Azure Database for MySQL flexible server encrypts data in-motion with transport layer security enforced by default. Azure Database for MySQL flexible server by default supports encrypted connections using Transport Layer Security (TLS 1.2) and all incoming connections with TLS 1.0 and TLS 1.1 are denied. You can disable TSL/SSL enforcement by setting the require_secure_transport server parameter and then setting the minimum tls_version for your server.