Merge pull request #302490 from flang-msft/fxl---configure-disk-encrpytion-uuf-446760

fxll--- Updated to clarify encryption availability for UUF

Author: denrea

articles/azure-cache-for-redis/cache-how-to-encryption.md

@@ -1,15 +1,11 @@
 ---
 title: Configure disk encryption in Azure Cache for Redis
 description: Learn about disk encryption when using Azure Cache for Redis.
-
-
-
 ms.topic: how-to
-ms.date: 02/28/2024
+ms.date: 07/09/2025
 appliesto:
   - ✅ Azure Cache for Redis
 
-
 ---
 
 # Configure disk encryption for Azure Cache for Redis instances using customer managed keys
@@ -20,22 +16,23 @@ Azure Cache for Redis offers platform-managed keys (PMKs), also know as Microsof
 
 ## Scope of availability for CMK disk encryption
 
-| Tier | Basic, Standard, Premium  | Enterprise, Enterprise Flash  |
-|:-:|---------|---------------|
-|Microsoft managed keys (MMK) | Yes   | Yes             |
-|Customer managed keys (CMK) | No     |  Yes            |
+- **Basic, Standard, Premium tiers:**
+  - Microsoft managed keys (MMK) are used for disk encryption in most cache sizes, except Basic and Standard sizes C0 and C1.
+  - Customer managed keys (CMK) aren't supported.
+
+- **Enterprise, Enterprise Flash tiers:**
+  - Microsoft managed keys (MMK) are supported.
+  - Customer managed keys (CMK) are supported.
 
 > [!WARNING]
-> By default, all Azure Cache for Redis tiers use Microsoft managed keys to encrypt disks mounted to cache instances. However, in the Basic and Standard tiers, the C0 and C1 SKUs do not support any disk encryption.
+> By default, all Azure Cache for Redis tiers use Microsoft managed keys to encrypt disks mounted to cache instances. However, in the Basic and Standard tiers, the C0 and C1 SKUs don't support any disk encryption.
 >
 
 > [!IMPORTANT]
 > On the Premium tier, data persistence streams data directly to Azure Storage, so disk encryption is less important. Azure Storage offers a [variety of encryption methods](../storage/common/storage-service-encryption.md) to be used instead.
 >
 
-## Encryption coverage
-
-### Enterprise tiers
+## Encryption for Enterprise tier
 
 In the **Enterprise** tier, disk encryption is used to encrypt the persistence disk, temporary files, and the OS disk:
 
@@ -47,22 +44,22 @@ MMK is used to encrypt these disks by default, but CMK can also be used.
 
 In the **Enterprise Flash** tier, keys and values are also partially stored on-disk using nonvolatile memory express (NVMe) flash storage. However, this disk isn't the same as the one used for persisted data. Instead, it's ephemeral, and data isn't persisted after the cache is stopped, deallocated, or rebooted. MMK is only supported on this disk because this data is transient and ephemeral.
 
-| Data stored |Disk    |Encryption Options |
-|-------------------|------------------|-------------------|
-|Persistence files | Persistence disk | MMK or CMK |
-|RDB files waiting to be exported | OS disk and Persistence disk | MMK or CMK |
-|Keys & values (Enterprise Flash tier only) | Transient NVMe disk | MMK |
+| Data stored                                    | Disk                          | Encryption Options |
+|------------------------------------------------|-------------------------------|--------------------|
+| Persistence files                              | Persistence disk              | MMK or CMK         |
+| RDB files waiting to be exported               | OS disk and Persistence disk  | MMK or CMK         |
+| Keys & values (Enterprise Flash tier only)    | Transient NVMe disk           | MMK                |
 
-### Other tiers
+## Encryption for Basic, Standard, and Premium tiers
 
-In the **Basic, Standard, and Premium** tiers, the OS disk is encrypted by default using MMK. There's no persistence disk mounted and Azure Storage is used instead. The C0 and C1 SKUs do not use disk encryption.
+In the **Basic, Standard, and Premium** tiers, the OS disk is encrypted by default using MMK. There's no persistence disk mounted and Azure Storage is used instead. The C0 and C1 SKUs don't use disk encryption.
 
 ## Prerequisites and limitations
 
 ### General prerequisites and limitations
 
 - Disk encryption isn't available in the Basic and Standard tiers for the C0 or C1 SKUs
-- Only user assigned managed identity is supported to connect to Azure Key Vault. System assigned managed identity is not supported.
+- Only user assigned managed identity is supported to connect to Azure Key Vault. System assigned managed identity isn't supported.
 - Changing between MMK and CMK on an existing cache instance triggers a long-running maintenance operation. We don't recommend this for production use because a service disruption occurs.
 
 ### Azure Key Vault prerequisites and limitations
@@ -100,13 +97,13 @@ In the **Basic, Standard, and Premium** tiers, the OS disk is encrypted by defau
 
 1. If using the **URI** input method, enter the Key Identifier URI for your chosen key from Azure Key Vault.  
 
-1. When you've entered all the information for your cache, select **Review + create**.
+1. When you enter all the information for your cache, select **Review + create**.
 
 ### Add CMK encryption to an existing Enterprise cache
 
 1. Go to the **Encryption** in the Resource menu of your cache instance. If CMK is already set up, you see the key information.
 
-1. If you haven't set up or if you want to change CMK settings, select **Change encryption settings**
+1. If you haven't set up CMK or want to change CMK settings, select **Change encryption settings**.
    :::image type="content" source="media/cache-how-to-encryption/cache-encryption-existing-use.png" alt-text="Screenshot encryption selected in the Resource menu for an Enterprise tier cache.":::
 
 1. Select **Use a customer-managed key** to see your configuration options.
@@ -133,3 +130,4 @@ Learn more about Azure Cache for Redis features:
 
 - [Data persistence](cache-how-to-premium-persistence.md)
 - [Import/Export](cache-how-to-import-export-data.md)
+- [Import/Export](cache-how-to-import-export-data.md)