update

Author: msmbaldwin

articles/azure-government/azure-secure-isolation-guidance.md

@@ -159,7 +159,7 @@ You can also use the [Azure Key Vault solution in Azure Monitor](/azure/key-vaul
 #### Vault
 **[Vaults](/azure/key-vault/general/overview)** provide a multitenant, low-cost, easy to deploy, zone-resilient (where available), and highly available key management solution suitable for most common cloud application scenarios. Vaults can store and safeguard [secrets, keys, and certificates](/azure/key-vault/general/about-keys-secrets-certificates). They can be either software-protected (standard tier) or HSM-protected (premium tier). For a comparison between the standard and premium tiers, see the [Azure Key Vault pricing page](https://azure.microsoft.com/pricing/details/key-vault/). Software-protected secrets, keys, and certificates are safeguarded by Azure, using industry-standard algorithms and key lengths. If you require extra assurances, you can choose to safeguard your secrets, keys, and certificates in vaults protected by multitenant HSMs. The corresponding HSMs are validated according to the [FIPS 140 standard](/azure/compliance/offerings/offering-fips-140-2), and have an overall Security Level 2 rating, which includes requirements for physical tamper evidence and role-based authentication.
 
-Vaults enable support for [customer-managed keys](../security/fundamentals/encryption-models.md) (CMK) where you can control your own keys in HSMs, and use them to encrypt data at rest for [many Azure services](../security/fundamentals/encryption-cmk-support.md). As mentioned previously, you can [import or generate encryption keys](/azure/key-vault/keys/hsm-protected-keys) in HSMs ensuring that keys never leave the HSM boundary to support *bring your own key (BYOK)* scenarios.
+Vaults enable support for [customer-managed keys](../security/fundamentals/encryption-models.md) (CMK) where you can control your own keys in HSMs, and use them to encrypt data at rest for [many Azure services](../security/fundamentals/encryption-customer-managed-keys-support.md). As mentioned previously, you can [import or generate encryption keys](/azure/key-vault/keys/hsm-protected-keys) in HSMs ensuring that keys never leave the HSM boundary to support *bring your own key (BYOK)* scenarios.
 
 Key Vault can handle requesting and renewing certificates in vaults, including Transport Layer Security (TLS) certificates, enabling you to enroll and automatically renew certificates from supported public Certificate Authorities. Key Vault certificates support provides for the management of your X.509 certificates, which are built on top of keys and provide an automated renewal feature. Certificate owner can [create a certificate](/azure/key-vault/certificates/create-certificate) through Azure Key Vault or by importing an existing certificate. Both self-signed and Certificate Authority generated certificates are supported. Moreover, the Key Vault certificate owner can implement secure storage and management of X.509 certificates without interaction with private keys.
 

articles/security/fundamentals/TOC.yml

@@ -146,7 +146,7 @@
   - name: Choosing a key management solution
     href: key-management-choose.md
   - name: Services supporting CMKs
-    href: encryption-customer-mnaged-keys-support.md
+    href: encryption-customer-managed-keys-support.md
   - name: Double encryption
     href: double-encryption.md
   - name: Azure Certificate Authorities

articles/security/fundamentals/encryption-customer-managed-keys-support.md

@@ -13,7 +13,7 @@ ms.topic: article
 
 The following services support server-side encryption with customer managed keys in [Azure Key Vault](/azure/key-vault/) and [Azure Managed HSM](/azure/key-vault/managed-hsm/). For implementation details, see the service-specific documentation or the service's [Microsoft Cloud Security Benchmark: security baseline](/security/benchmark/azure/security-baselines-overview) (section DP-5).
 
-## AI and Machine Learning
+## AI and machine learning
 
 | Product, Feature, or Service | Key Vault | Managed HSM | Documentation |
 |---|---|---|---|---|
@@ -94,7 +94,7 @@ The following services support server-side encryption with customer managed keys
 | [SQL Server Stretch Database](/azure/sql-server-stretch-database/) | Yes (RSA 3072-bit) | | |
 | [Table Storage](/azure/storage/tables/) | Yes | | [Customer-managed keys for Azure Storage encryption](/azure/storage/common/customer-managed-keys-overview) |
 
-## Hybrid + Multicloud
+## Hybrid + multicloud
 
 | Product, Feature, or Service | Key Vault | Managed HSM | Documentation |
 |---|---|---|---|---|
@@ -109,14 +109,14 @@ The following services support server-side encryption with customer managed keys
 | [Logic Apps](/azure/logic-apps/) | Yes | |  |
 | [Service Bus](/azure/service-bus-messaging/) | Yes | | [Configure customer-managed keys for encryption](/azure/service-bus-messaging/configure-customer-managed-key) |
 
-## IoT Services
+## IoT services
 
 | Product, Feature, or Service | Key Vault | Managed HSM | Documentation |
 |---|---|---|---|---|
 | [Device Update for IoT Hub](/azure/iot-hub-device-update/) | Yes | Yes | [Data encryption for Device Update for IoT Hub](/azure/iot-hub-device-update/device-update-data-encryption) |
 | [IoT Hub Device Provisioning](/azure/iot-dps/) | Yes | |  |
 
-## Management and Governance
+## Management and governance
 
 | Product, Feature, or Service | Key Vault | Managed HSM | Documentation |
 |---|---|---|---|---|

articles/security/fundamentals/encryption-models.md

@@ -82,7 +82,7 @@ For scenarios where the requirement is to encrypt the data at rest and control t
 Loss of key encryption keys means loss of data. For this reason, keys should not be deleted. Keys should be backed up whenever created or rotated. [Soft-Delete and purge protection](/azure/key-vault/general/soft-delete-overview) must be enabled on any vault storing key encryption keys to protect against accidental or malicious cryptographic erasure. Instead of deleting a key, it is recommended to set enabled to false on the key encryption key. Use access controls to revoke access to individual users or services in [Azure Key Vault](/azure/key-vault/general/security-features#access-model-overview) or [Managed HSM](/azure/key-vault/managed-hsm/secure-your-managed-hsm).
 
 > [!NOTE]
-> For a list of services that support customer-managed keys in Azure Key Vault and Azure Managed HSM, see [Services that support CMKs in Azure Key Vault and Azure Managed HSM](encryption-cmk-support.md).
+> For a list of services that support customer-managed keys in Azure Key Vault and Azure Managed HSM, see [Services that support CMKs in Azure Key Vault and Azure Managed HSM](encryption-customer-managed-keys-support.md).
 
 ### Key Access
 
@@ -133,6 +133,6 @@ When server-side encryption using customer-managed keys in customer-controlled h
 
 ## Related content
 
-- [Services that support CMKs in Azure Key Vault and Azure Managed HSM](encryption-cmk-support.md)
+- [Services that support CMKs in Azure Key Vault and Azure Managed HSM](encryption-customer-managed-keys-support.md)
 - [How encryption is used in Azure](encryption-overview.md)
 - [Double encryption](double-encryption.md)