Merge pull request #101209 from kummanish/master

Updating the existing content for Data encryption

Author: ttorble

articles/mysql/concepts-data-encryption-mysql.md

@@ -1,28 +1,28 @@
 ---
 title: Azure Database for MySQL Data Encryption with customer-managed key
-description: Azure Database for MySQL Data Encryption with customer-managed key enables you to Bring Your Own Key (BYOK) for data protection at rest, and allows organizations to implement separation of duties in the management of keys and data.
+description: Azure Database for MySQL data encryption with customer-managed key enables you to Bring Your Own Key (BYOK) for data protection at rest, and allows organizations to implement separation of duties in the management of keys and data.
 author: kummanish
 ms.author: manishku
 ms.service: mysql
 ms.topic: conceptual
 ms.date: 01/13/2020
 ---
 
-# Azure Database for MySQL Data Encryption with customer-managed key
+# Azure Database for MySQL data encryption with customer-managed key
 
 > [!NOTE]
 > At this time, you must request access to use this capability. To do so, please contact [email protected].
 
-Azure Database for MySQL Data Encryption with customer-managed key enables you to Bring Your Own Key (BYOK) for data protection at rest, and allows organizations to implement separation of duties in the management of keys and data. With customer-managed encryption, you are responsible for and in a full control of a key's lifecycle (key creation, upload, rotation, deletion), key usage permissions, and auditing of operations on keys.
+Azure Database for MySQL data encryption with customer-managed key enables you to Bring Your Own Key (BYOK) for data protection at rest, and allows organizations to implement separation of duties in the management of keys and data. With customer-managed encryption, you are responsible for and in a full control of a key's lifecycle (key creation, upload, rotation, deletion), key usage permissions, and auditing of operations on keys.
 
-For Azure Database for MySQL, the Data Encryption is set at the server-level. With this form of data encryption, the key is used to in the encryption of the Database Encryption Key (DEK), which is a customer-managed asymmetric key stored in a customer-owned and customer-managed [Azure Key Vault (AKV)](../key-vault/key-Vault-secure-your-key-Vault.md), a cloud-based external key management system. AKV is highly available and provides scalable secure storage for RSA cryptographic keys, optionally backed by FIPS 140-2 Level 2 validated hardware security modules (HSMs). It doesn't allow direct access to a stored key but provides services of encryption/decryption using the key to the authorized entities. The key can be generated by the Key Vault, imported, or [transferred to the Key Vault from an on-prem HSM device](../key-vault/key-Vault-hsm-protected-keys.md).
+For Azure Database for MySQL, the data encryption is set at the server-level. With this form of data encryption, the key is used to in the encryption of the Database Encryption Key (DEK), which is a customer-managed asymmetric key stored in a customer-owned and customer-managed [Azure Key Vault (AKV)](../key-vault/key-Vault-secure-your-key-Vault.md), a cloud-based external key management system. AKV is highly available and provides scalable secure storage for RSA cryptographic keys, optionally backed by FIPS 140-2 Level 2 validated hardware security modules (HSMs). It doesn't allow direct access to a stored key but provides services of encryption/decryption using the key to the authorized entities. The key can be generated by the Key Vault, imported, or [transferred to the Key Vault from an on-prem HSM device](../key-vault/key-Vault-hsm-protected-keys.md).
 
 > [!NOTE]
 > This feature is available in all Azure regions where Azure Database for MySQL supports General Purpose and Memory Optimized pricing tiers.
 
 ## Benefits
 
-Data Encryption for Azure Database for MySQL provides the following benefits:
+Data encryption for Azure Database for MySQL provides the following benefits:
 
 * Increased transparency, granular control, and management for the encryption key.
 * Central management and organization of keys by hosting them in Azure Key Vault.
@@ -32,33 +32,33 @@ Data Encryption for Azure Database for MySQL provides the following benefits:
 
 ## Terminology and description
 
-**Data Encryption Key (DEK)** – A symmetric AES256 key used to encrypt a partition or block of data. Encrypting each block of data with a different key makes crypto analysis attacks more difficult. Access to DEKs is needed by the resource provider or application instance that is encrypting and decrypting a specific block. When a DEK is replaced with a new key, only the data in its associated block must be re-encrypted with the new key.
+**Data encryption Key (DEK)** – A symmetric AES256 key used to encrypt a partition or block of data. Encrypting each block of data with a different key makes crypto analysis attacks more difficult. Access to DEKs is needed by the resource provider or application instance that is encrypting and decrypting a specific block. When a DEK is replaced with a new key, only the data in its associated block must be re-encrypted with the new key.
 
-**Key Encryption Key (KEK)** - An encryption key used to encrypt the Data Encryption Keys. Use of a Key Encryption Key that never leaves Key Vault, allows the data encryption keys themselves to be encrypted and controlled. The entity that has access to the KEK may be different than the entity that requires the DEK. Since the KEK is required to decrypt the DEKs, the KEK is effectively a single point by which DEKs can be effectively deleted by deletion of the KEK.
+**Key Encryption Key (KEK)** - An encryption key used to encrypt the data encryption Keys. Use of a Key Encryption Key that never leaves Key Vault, allows the data encryption keys themselves to be encrypted and controlled. The entity that has access to the KEK may be different than the entity that requires the DEK. Since the KEK is required to decrypt the DEKs, the KEK is effectively a single point by which DEKs can be effectively deleted by deletion of the KEK.
 
-The Data Encryption Keys, encrypted with the Key Encryption Keys are stored separately and only an entity with access to the Key Encryption Key can decrypt these Data Encryption Keys. For more information, see [security in encryption at rest](../security/fundamentals/encryption-atrest.md).
+The Data encryption Keys (DEK), encrypted with the Key Encryption Keys, are stored separately and only an entity with access to the Key Encryption Key can decrypt these data encryption Keys. For more information, see [security in encryption at rest](../security/fundamentals/encryption-atrest.md).
 
-## How Data Encryption with customer-managed key works
+## How data encryption with customer-managed key works
 
 ![Bring your own key overview](media/concepts-data-access-and-security-data-encryption/mysqloverview.png)
 
 For a MySQL server to be able to use customer-managed keys stored in AKV for encryption of the DEK, a Key Vault administrator needs to give the following access rights to the server using its unique identity:
 
 * **get** - for retrieving the public part and properties of the key in the Key Vault
-* **wrapKey** - to be able to protect (encrypt) DEK
-* **unwrapKey** - to be able to unprotect (decrypt) DEK
+* **wrapKey** - to be able to encrypt DEK
+* **unwrapKey** - to be able to decrypt DEK
 
 Key Vault administrator can also [enable logging of Key Vault audit events](../azure-monitor/insights/azure-key-vault.md), so they can be audited later.
 
 When the server is configured to use the customer-managed key that is stored in the Key Vault, the server sends the DEK to the Key Vault for encryptions. Key Vault returns the encrypted DEK, which is stored in the user database. Similarly, when needed, server sends protected DEK to the Key Vault for decryption. Auditors can use Azure Monitor to review Key Vault AuditEvent logs, if logging is enabled.
 
-## Requirements for configuring Data Encryption for Azure Database for MySQL
+## Requirements for configuring data encryption for Azure Database for MySQL
 
 ### Requirements for configuring AKV
 
 * Key Vault and Azure Database for MySQL must belong to the same Azure Active Directory (AAD) tenant. Cross-tenant Key Vault and server interactions are not supported. Moving resources afterwards requires you to reconfigure the data encryption. Learn more about moving resources.
 * Soft-delete feature must be enabled on the Key Vault, to protect from data loss accidental key (or Key Vault) deletion happens. Soft-deleted resources are retained for 90 days, unless recovered or purged by the customer in the meantime. The recover and purge actions have their own permissions associated in a Key Vault access policy. Soft-delete feature is off by default and can be enabled via Powershell or CLI. It cannot be enabled via Azure portal.
-* Grant the Azure Database for MySQL access to the Key Vault with the **get, wrapKey, unwrapKey** permissions using its unique managed identity. When using Azure portal, the unique identify gets automatically created when data encryption is enabled on the MySQL. See [Configure Data Encryption for MySQL](howto-data-encryption-portal.md) for detailed step-by-step instructions when using Azure portal.
+* Grant the Azure Database for MySQL access to the Key Vault with the **get, wrapKey, unwrapKey** permissions using its unique managed identity. When using Azure portal, the unique identify gets automatically created when data encryption is enabled on the MySQL. See [Configure data encryption for MySQL](howto-data-encryption-portal.md) for detailed step-by-step instructions when using Azure portal.
 
 * When using firewall with AKV, you must enable option *Allow trusted Microsoft services to bypass the firewall*.
 
@@ -69,7 +69,7 @@ When the server is configured to use the customer-managed key that is stored in
 * The key must be in the *Enabled* state.
 * If you are importing existing key into the Key Vault, make sure to provide it in the supported file formats (`.pfx`, `.byok`, `.backup`).
 
-## Recommendations when using Data Encryption using customer-managed key
+## Recommendations when using data encryption using customer-managed key
 
 ### Recommendation for configuring AKV
 

articles/mysql/howto-data-encryption-portal.md

@@ -10,7 +10,7 @@ ms.date: 01/13/2020
 
 # Data Encryption for Azure Database for MySQL server using Azure portal
 
-In this article, you will learn how to set up and manage to use the Azure portal to set up Data Encryption for your Azure Database for MySQL.
+In this article, you will learn how to set up and manage to use the Azure portal to set up data encryption for your Azure Database for MySQL.
 
 ## Prerequisites for CLI
 
@@ -46,7 +46,7 @@ In this article, you will learn how to set up and manage to use the Azure portal
 
 3. **Save** the settings.
 
-## Setting Data Encryption for Azure Database for MySQL
+## Setting data encryption for Azure Database for MySQL
 
 1. On the **Azure Database for MySQL**, select the **Data Encryption** to set the customer-managed key setup.
 
@@ -60,7 +60,7 @@ In this article, you will learn how to set up and manage to use the Azure portal
 
 4. To ensure all files (including **temp files**) are full encrypted, a server **restart** is **required**.
 
-## Restoring or creating replica of the server, which has Data Encryption enabled
+## Restoring or creating replica of the server, which has data encryption enabled
 
 Once an Azure Database for MySQL is encrypted with customer's managed key stored in the Key Vault, any newly created copy of the server either though local or geo-restore operation or a replica (local/cross-region) operation. So for an encrypted MySQL server, you can follow the steps below to create an encrypted restored server.
 
@@ -91,4 +91,4 @@ Once an Azure Database for MySQL is encrypted with customer's managed key stored
 
 ## Next steps
 
- To learn more about Data Encryption, see [what is Azure data encryption](concepts-data-encryption-mysql.md).
+ To learn more about data encryption, see [what is Azure data encryption](concepts-data-encryption-mysql.md).