Merge pull request #190184 from alkohli/9-asepro2

Update screenshots for 2-node ASE Pro2 - needs to merge into the release branch today. Go live tomorrow 3/3.

Author: LJSpiller

articles/databox-online/azure-stack-edge-pro-2-deploy-activate.md

@@ -7,7 +7,7 @@ author: alkohli
 ms.service: databox
 ms.subservice: edge
 ms.topic: tutorial
-ms.date: 02/11/2022
+ms.date: 03/03/2022
 ms.author: alkohli
 # Customer intent: As an IT admin, I need to understand how to activate Azure Stack Edge Pro 2 so I can use it to transfer data to Azure. 
 ---
@@ -29,9 +29,9 @@ Before you configure and set up your Azure Stack Edge Pro 2, make sure that:
 
 * For your physical device: 
 
-    - You've installed the physical device as detailed in [Install Azure Stack Edge Pro](azure-stack-edge-pro-2-deploy-install.md).
+    - You've installed the physical device as detailed in [Install Azure Stack Edge Pro 2](azure-stack-edge-pro-2-deploy-install.md).
     - You've configured the network and compute network settings as detailed in [Configure network, compute network, web proxy](azure-stack-edge-pro-2-deploy-configure-network-compute-web-proxy.md)
-    - You have uploaded your own or generated the device certificates on your device if you changed the device name or the DNS domain via the **Device** page. If you haven't done this step, you will see an error during the device activation and the activation will be blocked. For more information, go to [Configure certificates](azure-stack-edge-pro-2-deploy-configure-certificates.md).
+    - You've uploaded your own or generated the device certificates on your device if you changed the device name or the DNS domain via the **Device** page. If you haven't done this step, you'll see an error during the device activation and the activation will be blocked. For more information, go to [Configure certificates](azure-stack-edge-pro-2-deploy-configure-certificates.md).
 
 * You have the activation key from the Azure Stack Edge service that you created to manage the Azure Stack Edge Pro 2 device. For more information, go to [Prepare to deploy Azure Stack Edge Pro 2](azure-stack-edge-pro-2-deploy-prep.md).
 
@@ -41,24 +41,23 @@ Before you configure and set up your Azure Stack Edge Pro 2, make sure that:
 1. In the local web UI of the device, go to **Get started** page.
 2. On the **Activation** tile, select **Activate**. 
 
-    ![Local web UI "Cloud details" page](./media/azure-stack-edge-pro-2-deploy-activate/activate-1.png)
+    ![Screenshot of local web UI with "Activate" highlighted in the Activation tile.](./media/azure-stack-edge-pro-2-deploy-activate/activate-1.png)
 
 3. In the **Activate** pane, enter the **Activation key** that you got in [Get the activation key for Azure Stack Edge Pro](azure-stack-edge-gpu-deploy-prep.md#get-the-activation-key).
 
-4. Select **Apply**.
+4. Select **Activate**.
 
-    ![Local web UI "Cloud details" page 2](./media/azure-stack-edge-pro-2-deploy-activate/activate-2.png)
+    ![Screenshot of local web UI with "Activate" highlighted in the Activate blade.](./media/azure-stack-edge-pro-2-deploy-activate/activate-2.png)
 
 
-5. First the device is activated. You are then prompted to download the key file.
+5. First the device is activated. You're then prompted to download the key file.
 
-    ![Local web UI "Cloud details" page 3](./media/azure-stack-edge-gpu-deploy-activate/activate-3.png)
+    ![Screenshot of local web UI with Download and continue highlighted on the Device activated dialog.](./media/azure-stack-edge-pro-2-deploy-activate/activate-3.png)
 
     Select **Download and continue** and save the *device-serial-no.json* file in a safe location outside of the device. **This key file contains the recovery keys for the OS disk and data disks on your device**. These keys may be needed to facilitate a future system recovery.
 
     Here are the contents of the *json* file:
 
-        
     ```json
     {
       "Id": "<Device ID>",
@@ -67,23 +66,24 @@ Before you configure and set up your Azure Stack Edge Pro 2, make sure that:
         "hcsdata": "<BitLocker key for data disk>"
       },
       "SystemVolumeBitLockerRecoveryKey": "<BitLocker key for system volume>",
+      "SEDEncryptionExternalKey": "<Encryption-at-rest key for encrypted disks>",
       "ServiceEncryptionKey": "<Azure service encryption key>"
     }
-    ```
-        
+    ```        
 
     The following table explains the various keys:
 
     |Field  |Description  |
     |---------|---------|
     |`Id`    | This is the ID for the device.        |
-    |`DataVolumeBitLockerExternalKeys`|These are the BitLockers keys for the data disks and are used to recover the local data on your device.|
+    |`DataVolumeBitLockerExternalKeys`| These are the BitLocker keys for the data disks and are used to recover the local data on your device.|
     |`SystemVolumeBitLockerRecoveryKey`| This is the BitLocker key for the system volume. This key helps with the recovery of the system configuration and system data for your device. |
-    |`ServiceEncryptionKey`| This key protects the data flowing through the Azure service. This key ensures that a compromise of the Azure service will not result in a compromise of stored information. |
+    |`SEDEncryptionExternalKey`| This user provided or system generated key is used to protect the self-encrypting data drives that have a built-in encryption. |
+    |`ServiceEncryptionKey`| This key protects the data flowing through the Azure service. This key ensures that a compromise of the Azure service won't result in a compromise of stored information. |
 
 6. Go to the **Overview** page. The device state should show as **Activated**.
 
-   <!--![Local web UI "Cloud details" page 4](./media/azure-stack-edge-gpu-deploy-activate/activate-4.png)-->
+   ![Screenshot of local web UI "Overview" page with State highlighted.](./media/azure-stack-edge-pro-2-deploy-activate/activate-4.png)
 
 The device activation is complete. You can now add shares on your device.
 
@@ -93,7 +93,7 @@ If you encounter any issues during activation, go to [Troubleshoot activation an
 
 ## Deploy workloads
 
-After you have activated the device, the next step is to deploy workloads.
+After you've activated the device, the next step is to deploy workloads.
 
 - To deploy VM workloads, see [What are VMs on Azure Stack Edge?](azure-stack-edge-gpu-virtual-machine-overview.md) and the associated VM deployment documentation.
 - To deploy network functions as managed applications:
@@ -117,7 +117,7 @@ In this tutorial, you learned about:
 > * Prerequisites
 > * Activate the physical device
 
-To learn how to transfer data with your Azure Stack Edge device, see:
+To learn how to deploy workloads on your Azure Stack Edge device, see:
 
 > [!div class="nextstepaction"]
-> [Transfer data with Azure Stack Edge](./azure-stack-edge-gpu-deploy-add-shares.md)
+> [Configure compute to deploy IoT Edge and Kubernetes workloads on Azure Stack Edge](./azure-stack-edge-gpu-deploy-configure-compute.md)

articles/databox-online/azure-stack-edge-pro-2-deploy-configure-certificates.md

@@ -7,7 +7,7 @@ author: alkohli
 ms.service: databox
 ms.subservice: edge
 ms.topic: tutorial
-ms.date: 02/09/2022
+ms.date: 03/02/2022
 ms.author: alkohli
 # Customer intent: As an IT admin, I need to understand how to configure certificates for Azure Stack Edge Pro 2 so I can use it to establish a trust relationship between the device and the clients accessing the device. 
 ---
@@ -23,6 +23,7 @@ In this tutorial, you learn about:
 >
 > * Prerequisites
 > * Configure certificates for the physical device
+> * Configure encryption-at-rest
 
 ## Prerequisites
 
@@ -41,13 +42,15 @@ Before you configure and set up your Azure Stack Edge Pro 2 device, make sure th
 
 1. Open the **Certificates** page in the local web UI of your device. This page will display the certificates available on your device. The device is shipped with self-signed certificates, also referred to as the device certificates. You can also bring your own certificates.
 
-1. If you didn't change the device name or DNS domain when you [configured device settings earlier](azure-stack-edge-gpu-deploy-set-up-device-update-time.md#configure-device-settings), and you don't want to use your own certificates, you don't need any configuration on this page. You just need to verify that the status of all the certificates shows as valid on this page. 
+1. *Follow this step only if you didn't change the device name or DNS domain when you [configured device settings earlier](azure-stack-edge-gpu-deploy-set-up-device-update-time.md#configure-device-settings), and you don't want to use your own certificates.*
 
-     ![Screenshot of the Certificates page in the local web UI of Azure Stack Edge. The Certificates menu item is highlighted.](./media/azure-stack-edge-gpu-deploy-configure-certificates/generate-certificate-2.png)
+    You don't need to perform any configuration on this page. You just need to verify that the status of all the certificates shows as valid on this page. 
 
-    You're ready to [Activate your device](azure-stack-edge-gpu-deploy-activate.md) with the existing device certificates.
+     ![Screenshot of the Certificates page in the local web UI of Azure Stack Edge. The Certificates menu item is highlighted.](./media/azure-stack-edge-pro-2-deploy-configure-certificates/verify-certificate-status-1.png)
 
-1. Follow these steps only if you've changed the device name or the DNS domain for your device. In these instances, the status of your device certificates will be **Not valid**. That's because the device name and DNS domain in the certificates' `subject name` and `subject alternative` settings are out of date. 
+    You're ready to configure [Encryption-at-rest](#configure-encryption-at-rest) with the existing device certificates.
+
+1. *Follow the remaining steps only if you've changed the device name or the DNS domain for your device.* In these instances, the status of your device certificates will be **Not valid**. That's because the device name and DNS domain in the certificates' `subject name` and `subject alternative` settings are out of date. 
 
     You can select a certificate to view status details.   
 
@@ -62,13 +65,12 @@ Before you configure and set up your Azure Stack Edge Pro 2 device, make sure th
      - You can choose to bring some of your own certificates and generate some device certificates. The **Generate all the device certificates** option only regenerates the device certificates.
 
 
-
-3. When you have a full set of valid certificates for your device, the device is ready for activation. Select **< Back to Get started** to proceed to the next deployment step, [Activate your device](azure-stack-edge-gpu-deploy-activate.md).
+1. When you have a full set of valid certificates for your device, select **< Back to Get started**. You can now proceed to configure [Encryption-at-rest](#configure-encryption-at-rest).
 
     <!--![Screenshot of the Certificates page on an Azure Stack Edge device with a full set of valid certificates. The certificate states and the Back To Get Started button are highlighted.](./media/azure-stack-edge-gpu-deploy-configure-certificates/proceed-to-activate-1.png)-->
 
 
-## Generate device certificates
+### Generate device certificates
 
 Follow these steps to generate device certificates.
 
@@ -129,7 +131,7 @@ If using Azure Storage Explorer, you'll need to install certificates on your cli
 > - You can decide to have a mix of device generated certificates and bring your own certificates as long as other certificate requirements are met. For more information, go to [Certificate requirements](azure-stack-edge-gpu-certificate-requirements.md).
     
 
-## Bring your own certificates
+### Bring your own certificates
 
 You can bring your own certificates. 
 
@@ -142,25 +144,25 @@ Follow these steps to upload your own certificates including the signing chain.
 
 1. To upload certificate, on the **Certificate** page, select **+ Add certificate**.
 
-    ![Screenshot of the Add Certificate pane in the local web UI of an Azure Stack Edge device. The Certificates menu item, Plus Add Certificate button, and Add Certificate pane are highlighted.](./media/azure-stack-edge-gpu-deploy-configure-certificates/add-certificate-1.png)
+    ![Screenshot of the Add Certificate pane in the local web UI of an Azure Stack Edge device. The Certificates menu item, Plus Add Certificate button, and Add Certificate pane are highlighted.](./media/azure-stack-edge-pro-2-deploy-configure-certificates/add-certificate-1.png)
 
 2. You can skip this step if you included all certificates in the certificate path when you [exported certificates in .pfx format](azure-stack-edge-gpu-prepare-certificates-device-upload.md#export-certificates-as-pfx-format-with-private-key). If you didn't include all certificates in your export, upload the signing chain, and then select **Validate & add**. You need to do this before you upload your other certificates.
 
     In some cases, you may want to bring a signing chain alone for other purposes - for example, to connect to your update server for Windows Server Update Services (WSUS).
 
-    ![Screenshot of the Add Certificate pane for a Signing Chain certificate in the local web UI of an Azure Stack Edge device. The certificate type, certificate entries, and Validate And Add button are highlighted.](./media/azure-stack-edge-gpu-deploy-configure-certificates/add-certificate-2.png)
+    ![Screenshot of the Add Certificate pane for a Signing Chain certificate in the local web UI of an Azure Stack Edge device. The certificate type, certificate entries, and Validate And Add button are highlighted.](./media/azure-stack-edge-pro-2-deploy-configure-certificates/add-certificate-2.png)
 
 3. Upload other certificates. For example, you can upload the Azure Resource Manager and Blob storage endpoint certificates.
 
-    ![Screenshot of the Add Certificate pane for endpoints for an Azure Stack Edge device. The certificate type and certificate entries are highlighted.](./media/azure-stack-edge-gpu-deploy-configure-certificates/add-certificate-3.png)
+    ![Screenshot of the Add Certificate pane for endpoints for an Azure Stack Edge device. The certificate type and certificate entries are highlighted.](./media/azure-stack-edge-pro-2-deploy-configure-certificates/add-certificate-3.png)
 
     You can also upload the local web UI certificate. After you upload this certificate, you'll be required to start your browser and clear the cache. You'll then need to connect to the device local web UI.  
 
-    ![Local web UI "Certificates" page 7](./media/azure-stack-edge-gpu-deploy-configure-certificates/add-certificate-5.png)
+    ![Local web UI "Certificates" page 7](./media/azure-stack-edge-pro-2-deploy-configure-certificates/add-certificate-4.png)
 
     You can also upload the node certificate.
 
-    ![Screenshot of the Add Certificate pane for the Local Web UI certificate for an Azure Stack Edge device. The certificate type and certificate entries highlighted.](./media/azure-stack-edge-gpu-deploy-configure-certificates/add-certificate-4.png)
+    ![Screenshot of the Add Certificate pane for the Local Web UI certificate for an Azure Stack Edge device. The certificate type and certificate entries highlighted.](./media/azure-stack-edge-pro-2-deploy-configure-certificates/add-certificate-5.png)
 
     At any time, you can select a certificate and view the details to ensure that these match with the certificate that you uploaded.
 
@@ -174,7 +176,30 @@ Follow these steps to upload your own certificates including the signing chain.
     > Except for Azure public cloud, signing chain certificates are needed to be brought in before activation for all cloud configurations (Azure Government or Azure Stack).
 
 
-Your device is now ready to be activated. Select **< Back to Get started**.
+## Configure encryption-at-rest
+
+1. On the **Security** tile, select **Configure** for encryption-at-rest. 
+
+    > [!NOTE]
+    > This is a required setting and until this is successfully configured, you can't activate the device. 
+
+    At the factory, once the devices are imaged, the volume level BitLocker encryption is enabled. After you receive the device, you need to configure the encryption-at-rest. The storage pool and volumes are recreated and you can provide BitLocker keys to enable encryption-at-rest and thus create a second layer of encryption for your data-at-rest.
+
+1. In the **Encryption-at-rest** pane, provide a 32 character long Base-64 encoded key. This is a one-time configuration and this key is used to protect the actual encryption key. You can choose to automatically generate this key. 
+
+    ![Screenshot of the local web UI "Encryption at rest" pane wit system generated key.](./media/azure-stack-edge-pro-2-deploy-configure-certificates/encryption-key-1.png)
+
+    You can also enter your own Base-64 encoded ASE-256 bit encryption key.
+
+    ![Screenshot of the local web UI "Encryption at rest" pane with bring your own key.](./media/azure-stack-edge-pro-2-deploy-configure-certificates/encryption-key-2.png)
+
+    The key is saved in a key file on the **Cloud details** page after the device is activated.
+
+1. Select **Apply**. This operation takes several minutes and the status of operation is displayed.
+
+    ![Screenshot of the "Double encryption at rest" notification. ](./media/azure-stack-edge-pro-2-deploy-configure-certificates/encryption-at-rest-status-1.png)
+
+1. After the status shows as **Completed**, your device is now ready to be activated. Select **< Back to Get started**.
 
 
 ## Next steps
@@ -185,6 +210,7 @@ In this tutorial, you learn about:
 >
 > * Prerequisites
 > * Configure certificates for the physical device
+> * Configure encryption-at-rest
 
 To learn how to activate your Azure Stack Edge Pro GPU device, see: