Edit content

JKirsch1 · JKirsch1 · commit b90f7f9aaa69 · 2022-06-02T13:55:35.000-04:00
diff --git a/articles/cognitive-services/includes/cognitive-services-about-encryption.md b/articles/cognitive-services/includes/cognitive-services-about-encryption.md
@@ -12,8 +12,8 @@
 
 ## About Cognitive Services encryption
 
-Data is encrypted and decrypted using [FIPS 140-2](https://en.wikipedia.org/wiki/FIPS_140-2) compliant [256-bit AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) encryption. Encryption and decryption are transparent, meaning encryption and access are managed for you. Your data is secure by default and you don't need to modify your code or applications to take advantage of encryption.
+Data is encrypted and decrypted using [FIPS 140-2](https://en.wikipedia.org/wiki/FIPS_140-2)-compliant [256-bit AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) encryption. Encryption and decryption are transparent, meaning encryption and access are managed for you. Your data is secure by default. You don't need to modify your code or applications to take advantage of encryption.
 
 ## About encryption key management
 
-By default, your subscription uses Microsoft-managed encryption keys. There is also the option to manage your subscription with your own keys called customer-managed keys (CMK). CMK offer greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data. If CMK is configured for your subscription, double encryption is provided, which offers a second layer of protection, while allowing you to control the encryption key through your Azure Key Vault.
+By default, your subscription uses Microsoft-managed encryption keys. You can also manage your subscription with your own keys, which are called customer-managed keys. When you use customer-managed keys, you have greater flexibility in the way you create, rotate, disable, and revoke access controls. You can also audit the encryption keys that you use to protect your data. If customer-managed keys are configured for your subscription, double encryption is provided. With this second layer of protection, you can control the encryption key through your Azure Key Vault.
diff --git a/articles/cognitive-services/includes/configure-customer-managed-keys.md b/articles/cognitive-services/includes/configure-customer-managed-keys.md
@@ -13,103 +13,105 @@ ms.author: egeaney
 
 ## Customer-managed keys with Azure Key Vault
 
-You must use Azure Key Vault to store customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Cognitive Services resource and the key vault must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../key-vault/general/overview.md).
+When you use customer-managed keys, you must use Azure Key Vault to store them. You can either create your own keys and store them in a key vault, or you can use the Key Vault APIs to generate keys. The Cognitive Services resource and the key vault must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions. For more information about Key Vault, see [What is Azure Key Vault?](../../key-vault/general/overview.md).
 
-When a new Cognitive Services resource is created it is always encrypted using Microsoft-managed keys. It's not possible to enable customer-managed keys at the time that the resource is created. Customer-managed keys are stored in Azure Key Vault, and the key vault must be provisioned with access policies that grant key permissions to the managed identity that is associated with the Cognitive Services resource. The managed identity is available only after the resource is created using the Pricing Tier required for CMK.
+When you create a new Cognitive Services resource, it's always encrypted by using Microsoft-managed keys. It's not possible to enable customer-managed keys when you create the resource. Customer-managed keys are stored in Key Vault. The key vault needs to be provisioned with access policies that grant key permissions to the managed identity that's associated with the Cognitive Services resource. The managed identity is available only after the resource is created by using the pricing tier that's required for customer-managed keys.
 
-Enabling customer managed keys will also enable a system assigned [managed identity](../../active-directory/managed-identities-azure-resources/overview.md), a feature of Azure AD. Once the system assigned managed identity is enabled, this resource will be registered with Azure Active Directory. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup. 
+Enabling customer-managed keys also enables a system-assigned [managed identity](../../active-directory/managed-identities-azure-resources/overview.md), a feature of Azure AD. After the system-assigned managed identity is enabled, this resource is registered with Azure AD. After being registered, the managed identity is given access to the key vault that's selected during customer-managed key setup. 
 
 > [!IMPORTANT]
-> If you disable system assigned managed identities, access to the key vault will be removed and any data encrypted with the customer keys will no longer be accessible. Any features depended on this data will stop working.
+> If you disable system-assigned managed identities, access to the key vault is removed and any data that's encrypted with the customer keys is no longer accessible. Any features that depend on this data stop working.
 
 > [!IMPORTANT]
-> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Azure AD directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Azure AD directories** in [FAQs and known issues with managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories).  
+> Managed identities don't currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned behind the scenes. If you subsequently move the subscription, resource group, or resource from one Azure AD directory to another, the managed identity that's associated with the resource isn't transferred to the new tenant, so customer-managed keys might no longer work. For more information, see **Transferring a subscription between Azure AD directories** in [FAQs and known issues with managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories).  
 
-## Configure Azure Key Vault
+## Configure Key Vault
 
-Using customer-managed keys requires that two properties be set in the key vault, **Soft Delete** and **Do Not Purge**. These properties are not enabled by default, but can be enabled using either PowerShell or Azure CLI on a new or existing key vault.
+When you use customer-managed keys, you need to set two properties in the key vault, **Soft Delete** and **Do Not Purge**. These properties aren't enabled by default, but you can enable them on a new or existing key vault by using the Azure portal, PowerShell, or Azure CLI.
 
 > [!IMPORTANT]
-> If you do not have the **Soft Delete** and **Do Not Purge** properties enabled and you delete your key, you won't be able to recover the data in your Cognitive Service resource.
+> If the **Soft Delete** and **Do Not Purge** properties aren't enabled and you delete your key, you can't recover the data in your Cognitive Services resource.
 
-To learn how to enable these properties on an existing key vault, see the sections titled **Enabling soft-delete** and **Enabling Purge Protection** in one of the following articles:
+To learn how to enable these properties on an existing key vault, see [Azure Key Vault recovery management with soft delete and purge protection](../../key-vault/general/key-vault-recovery.md).
 
-- [How to use soft-delete with PowerShell](../../key-vault/general/key-vault-recovery.md).
-- [How to use soft-delete with CLI](../../key-vault/general/key-vault-recovery.md).
-
-Only RSA keys of size 2048 are supported with Azure Storage encryption. For more information about keys, see **Key Vault keys** in [About Azure Key Vault keys, secrets and certificates](../../key-vault/general/about-keys-secrets-certificates.md).
+Only RSA keys of size 2048 are supported with Azure Storage encryption. For more information about keys, see [Azure Key Vault keys, secrets and certificates overview](../../key-vault/general/about-keys-secrets-certificates.md).
 
 ## Enable customer-managed keys for your resource
 
 To enable customer-managed keys in the Azure portal, follow these steps:
 
-1. Navigate to your Cognitive Services resource.
-1. On the **Settings** blade for your Cognitive Services resource, click **Encryption**. Select the **Customer Managed Keys** option, as shown in the following figure.
+1. Go to your Cognitive Services resource.
+1. On the left, select **Encryption**.
+1. Under **Encryption type**, select **Customer Managed Keys**, as shown in the following screenshot.
 
-    ![Screenshot showing how to select Customer Managed Keys](../media/cognitive-services-encryption/selectcmk.png)
+   :::image type="content" source="../media/cognitive-services-encryption/selectcmk.png" alt-text="Screenshot of the Encryption settings page for a Cognitive Services resource. Under Encryption type, the Customer Managed Keys option is selected.":::
 
 ## Specify a key
 
-After you enable customer-managed keys, you'll have the opportunity to specify a key to associate with the Cognitive Services resource.
+After you enable customer-managed keys, you can specify a key to associate with the Cognitive Services resource.
 
 ### Specify a key as a URI
 
 To specify a key as a URI, follow these steps:
 
-1. To locate the key URI in the Azure portal, navigate to your key vault, and select the **Keys** setting. Select the desired key, then click the key to view its versions. Select a key version to view the settings for that version.
-1. Copy the value of the **Key Identifier** field, which provides the URI.
+1. In the Azure portal, go to your key vault.
+1. Under **Settings**, select **Keys**.
+1. Select the desired key, and then select the key to view its versions. Select a key version to view the settings for that version.
+1. Copy the **Key Identifier** value, which provides the URI.
 
-    ![Screenshot showing key vault key URI](../media/cognitive-services-encryption/key-uri-portal.png)
+   :::image type="content" source="../media/cognitive-services-encryption/key-uri-portal.png" alt-text="Screenshot of the Azure portal page for a key version. The Key Identifier box contains a placeholder for a key U R I.":::
 
-1. In the **Encryption** settings for your storage account, choose the **Enter key URI** option.
-1. Paste the URI that you copied into the **Key URI** field.
+1. Go back to your Cognitive Services resource, and then select **Encryption**.
+1. Under **Encryption key**, select **Enter key URI**.
+1. Paste the URI that you copied into the **Key URI** box.
 
-   ![Screenshot showing how to enter key URI](../media/cognitive-services-encryption/ssecmk2.png)
+   :::image type="content" source="../media/cognitive-services-encryption/ssecmk2.png" alt-text="Screenshot of the Encryption page for a Cognitive Services resource. The Enter key U R I option is selected, and the Key U R I box contains a value.":::
 
-1. Specify the subscription that contains the key vault.
+1. Under **Subscription**, select the subscription that contains the key vault.
 1. Save your changes.
 
 ### Specify a key from a key vault
 
-To specify a key from a key vault, first make sure that you have a key vault that contains a key. To specify a key from a key vault, follow these steps:
+To specify a key from a key vault, first make sure that you have a key vault that contains a key. Then follow these steps:
 
-1. Choose the **Select from Key Vault** option.
-1. Select the key vault containing the key you want to use.
-1. Select the key from the key vault.
+1. Go to your Cognitive Services resource, and then select **Encryption**.
+1. Under **Encryption key**, select **Select from Key Vault**.
+1. Select the key vault that contains the key that you want to use.
+1. Select the key that you want to use.
 
-   ![Screenshot showing customer-managed key option](../media/cognitive-services-encryption/ssecmk3.png)
+   :::image type="content" source="../media/cognitive-services-encryption/ssecmk3.png" alt-text="Screenshot of the Select key from Azure Key Vault page in the Azure portal. The Subscription, Key vault, Key, and Version boxes contain values.":::
 
 1. Save your changes.
 
 ## Update the key version
 
 When you create a new version of a key, update the Cognitive Services resource to use the new version. Follow these steps:
 
-1. Navigate to your Cognitive Services resource and display the **Encryption** settings.
-1. Enter the URI for the new key version. Alternately, you can select the key vault and the key again to update the version.
+1. Go to your Cognitive Services resource, and then select **Encryption**.
+1. Enter the URI for the new key version. Alternately, you can select the key vault and then select the key again to update the version.
 1. Save your changes.
 
 ## Use a different key
 
-To change the key used for encryption, follow these steps:
+To change the key that you use for encryption, follow these steps:
 
-1. Navigate to your Cognitive Services resource and display the **Encryption** settings.
-1. Enter the URI for the new key. Alternately, you can select the key vault and choose a new key.
+1. Go to your Cognitive Services resource, and then select **Encryption**.
+1. Enter the URI for the new key. Alternately, you can select the key vault and then select a new key.
 1. Save your changes.
 
 ## Rotate customer-managed keys
 
-You can rotate a customer-managed key in Azure Key Vault according to your compliance policies. When the key is rotated, you must update the Cognitive Services resource to use the new key URI. To learn how to update the resource to use a new version of the key in the Azure portal, see [Update the key version](#update-the-key-version).
+You can rotate a customer-managed key in Key Vault according to your compliance policies. When the key is rotated, you must update the Cognitive Services resource to use the new key URI. To learn how to update the resource to use a new version of the key in the Azure portal, see [Update the key version](#update-the-key-version).
 
-Rotating the key does not trigger re-encryption of data in the resource. There is no further action required from the user.
+Rotating the key doesn't trigger re-encryption of data in the resource. No further action is required from the user.
 
 ## Revoke access to customer-managed keys
 
-To revoke access to customer-managed keys, use PowerShell or Azure CLI. For more information, see [Azure Key Vault PowerShell](/powershell/module/az.keyvault//) or [Azure Key Vault CLI](/cli/azure/keyvault). Revoking access effectively blocks access to all data in the Cognitive Services resource, as the encryption key is inaccessible by Cognitive Services.
+To revoke access to customer-managed keys, use PowerShell or Azure CLI. For more information, see [Azure Key Vault PowerShell](/powershell/module/az.keyvault//) or [Azure Key Vault CLI](/cli/azure/keyvault). Revoking access effectively blocks access to all data in the Cognitive Services resource, because the encryption key is inaccessible by Cognitive Services.
 
 ## Disable customer-managed keys
 
 When you disable customer-managed keys, your Cognitive Services resource is then encrypted with Microsoft-managed keys. To disable customer-managed keys, follow these steps:
 
-1. Navigate to your Cognitive Services resource and display the **Encryption** settings.
-1. Deselect the checkbox next to the **Use your own key** setting.
+1. Go to your Cognitive Services resource, and then select **Encryption**.
+1. Clear the checkbox that's next to **Use your own key**.
diff --git a/articles/cognitive-services/personalizer/encrypt-data-at-rest.md b/articles/cognitive-services/personalizer/encrypt-data-at-rest.md
@@ -1,25 +1,28 @@
 ---
-title: Personalizer service encryption of data at rest
+title: Data-at-rest encryption in Personalizer
 titleSuffix: Azure Cognitive Services
-description: Microsoft offers Microsoft-managed encryption keys, and also lets you manage your Cognitive Services subscriptions with your own keys, called customer-managed keys (CMK). This article covers data encryption at rest for Personalizer, and how to enable and manage CMK. 
+description: Learn about the keys that you use for data-at-rest encryption in Personalizer. See how to use Azure Key Vault to configure customer-managed keys.
 author: jcodella
 manager: venkyv
 ms.service: cognitive-services
 ms.subservice: personalizer
 ms.topic: conceptual
-ms.date: 08/28/2020
+ms.date: 06/02/2022
 ms.author: jacodel
+ms.custom: kr2b-contr-experiment
 #Customer intent: As a user of the Personalizer service, I want to learn how encryption at rest works.
 ---
 
-# Personalizer service encryption of data at rest
+# Encryption of data at rest in the Personalizer service
 
-The Personalizer service automatically encrypts your data when persisted it to the cloud. The Personalizer service encryption protects your data and to help you to meet your organizational security and compliance commitments.
+Personalizer is a service in Azure Cognitive Services that uses a machine learning model to provide apps with user-tailored content. When Personalizer persists data to the cloud, it encrypts that data. This encryption protects your data and helps you meet organizational security and compliance commitments.
 
 [!INCLUDE [cognitive-services-about-encryption](../includes/cognitive-services-about-encryption.md)]
 
 > [!IMPORTANT]
-> Customer-managed keys are only available on the E0 pricing tier. To request the ability to use customer-managed keys, fill out and submit the [Personalizer Service Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk). It will take approximately 3-5 business days to hear back on the status of your request. Depending on demand, you may be placed in a queue and approved as space becomes available. Once approved for using CMK with the Personalizer service, you will need to create a new Personalizer resource and select E0 as the Pricing Tier. Once your Personalizer resource with the E0 pricing tier is created, you can use Azure Key Vault to set up your managed identity.
+> Customer-managed keys are only available with the E0 pricing tier. To request the ability to use customer-managed keys, fill out and submit the [Personalizer Service Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk). It takes approximately 3-5 business days to hear back about the status of your request. If demand is high, you might be placed in a queue and approved when space becomes available.
+>
+> After you're approved to use customer-managed keys with Personalizer, create a new Personalizer resource and select E0 as the pricing tier. After you've created that resource, you can use Azure Key Vault to set up your managed identity.
 
 [!INCLUDE [cognitive-services-cmk](../includes/configure-customer-managed-keys.md)]
 
