MicrosoftDocs
diff --git a/‎articles/backup/backup-azure-security-feature-cloud.md
Lines changed: 27 additions & 25 deletions b/‎articles/backup/backup-azure-security-feature-cloud.md
Lines changed: 27 additions & 25 deletions
@@ -36,7 +36,7 @@ Soft delete is currently supported in the West Central US, East Asia, Canada Cen
 
    ![Screenshot of Azure portal Backup Items](./media/backup-azure-security-feature-cloud/backup-stopped.png)
 
-2. In the following window, you will be given a choice to delete or retain the backup data. If you choose **Delete backup data** and then **Stop backup**, the VM backup will not be permanently deleted. Rather, the backup data will be retained for 14 days in the soft deleted state. If **Delete backup data** is chosen, a delete email alert is sent to the configured email ID informing the user that 14 days remain of extended retention for backup data. Also, an email alert is sent on the 12th day informing that there are two more days left to resurrect the deleted data. The deletion is deferred until the 15th day, when permanent deletion will occur and a final email alert is sent informing about the permanent deletion of the data.
+2. In the following window, you'll be given a choice to delete or retain the backup data. If you choose **Delete backup data** and then **Stop backup**, the VM backup won't be permanently deleted. Rather, the backup data will be retained for 14 days in the soft deleted state. If **Delete backup data** is chosen, a delete email alert is sent to the configured email ID informing the user that 14 days remain of extended retention for backup data. Also, an email alert is sent on the 12th day informing that there are two more days left to resurrect the deleted data. The deletion is deferred until the 15th day, when permanent deletion will occur and a final email alert is sent informing about the permanent deletion of the data.
 
    ![Screenshot of Azure portal, Stop Backup screen](./media/backup-azure-security-feature-cloud/delete-backup-data.png)
 
@@ -72,14 +72,14 @@ This flow chart shows the different steps and states of a backup item when Soft
 
 For more information, see the [Frequently Asked Questions](backup-azure-security-feature-cloud.md#frequently-asked-questions) section below.
 
-### Soft delete for VMs using Azure Powershell
+### Soft delete for VMs using Azure PowerShell
 
 > [!IMPORTANT]
 > The Az.RecoveryServices version required to use soft-delete using Azure PS is min 2.2.0. Use ```Install-Module -Name Az.RecoveryServices -Force``` to get the latest version.
 
-As outlined above for Azure portal, the sequence of steps is same while using Azure Powershell as well.
+As outlined above for Azure portal, the sequence of steps is same while using Azure PowerShell as well.
 
-#### Delete the backup item using Azure Powershell
+#### Delete the backup item using Azure PowerShell
 
 Delete the backup item using the [Disable-AzRecoveryServicesBackupProtection](https://docs.microsoft.com/powershell/module/az.recoveryservices/Disable-AzRecoveryServicesBackupProtection?view=azps-1.5.0) PS cmdlet.
 
@@ -93,7 +93,7 @@ AppVM1           DeleteBackupData     Completed            12/5/2019 12:44:15 PM
 
 The 'DeleteState' of the backup item will change from 'NotDeleted' to 'ToBeDeleted'. The backup data will be retained for 14 days. If you wish to revert the delete operation, then undo-delete should be performed.
 
-#### Undoing the deletion operation using Azure Powershell
+#### Undoing the deletion operation using Azure PowerShell
 
 First, fetch the relevant backup item that is in soft-delete state (that is, about to be deleted).
 
@@ -118,7 +118,7 @@ WorkloadName     Operation            Status               StartTime
 AppVM1           Undelete             Completed            12/5/2019 12:47:28 PM     12/5/2019 12:47:40 PM     65311982-3755-46b5-8e53-c82ea4f0d2a2
 ```
 
-The 'DeleteState' of the backup item will revert to 'NotDeleted'. But the protection is still stopped. You need to [resume the backup](https://docs.microsoft.com/azure/backup/backup-azure-vms-automation#change-policy-for-backup-items) to re-enable the protection.
+The 'DeleteState' of the backup item will revert to 'NotDeleted'. But the protection is still stopped. [Resume the backup](https://docs.microsoft.com/azure/backup/backup-azure-vms-automation#change-policy-for-backup-items) to re-enable the protection.
 
 ### Soft delete for VMs using REST API
 
@@ -127,7 +127,7 @@ The 'DeleteState' of the backup item will revert to 'NotDeleted'. But the protec
 
 ## Disabling soft delete
 
-Soft delete is enabled by default on newly created vaults to protect backup data from accidental or malicious deletes.  Disabling this feature is not recommended. The only circumstance where you should consider disabling soft delete is if you are planning on moving your protected items to a new vault, and cannot wait the 14 days required before deleting and reprotecting (such as in a test environment.) Only the vault owner can disable this feature. If you disable this feature, all future deletions of protected items will result in immediate removal, without the ability to restore. Backup data that exists in soft deleted state prior to disabling this feature, will remain in soft deleted state for the period of 14 days. If you wish to permanently delete these immediately, then you need to undelete and delete them again to get permanently deleted.
+Soft delete is enabled by default on newly created vaults to protect backup data from accidental or malicious deletes.  Disabling this feature isn't recommended. The only circumstance where you should consider disabling soft delete is if you're planning on moving your protected items to a new vault, and can't wait the 14 days required before deleting and reprotecting (such as in a test environment.) Only the vault owner can disable this feature. If you disable this feature, all future deletions of protected items will result in immediate removal, without the ability to restore. Backup data that exists in soft deleted state before disabling this feature, will remain in soft deleted state for the period of 14 days. If you wish to permanently delete these immediately, then you need to undelete and delete them again to get permanently deleted.
 
 ### Disabling soft delete using Azure portal
 
@@ -139,7 +139,7 @@ To disable soft delete, follow these steps:
 
 ![Disable soft delete](./media/backup-azure-security-feature-cloud/disable-soft-delete.png)
 
-### Disabling soft delete using Azure Powershell
+### Disabling soft delete using Azure PowerShell
 
 > [!IMPORTANT]
 > The Az.RecoveryServices version required to use soft-delete using Azure PS is min 2.2.0. Use ```Install-Module -Name Az.RecoveryServices -Force``` to get the latest version.
@@ -192,7 +192,7 @@ Follow these steps:
 
 7. To delete the backup data for the item, select **Delete**. A notification message lets you know that the backup data has been deleted.
 
-### Using Azure Powershell
+### Using Azure PowerShell
 
 If items were deleted before soft-delete was disabled, then they will be in a soft-deleted state. To immediately delete them, the deletion operation needs to reversed and then performed again.
 
@@ -239,28 +239,30 @@ If items were deleted before soft-delete was disabled, then they will be in a so
 
 ## Encryption
 
-### Encryption of backup data using Microsoft managed keys
+All your backed-up data is automatically encrypted when stored in the cloud using Azure Storage encryption, which helps you meet your security and compliance commitments. This data at rest is encrypted using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant.
 
-Backup data is automatically encrypted using Azure Storage encryption. Encryption protects your data and helps you to meet your organizational security and compliance commitments. Data is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Azure Storage encryption is similar to BitLocker encryption on Windows.
-
-Within Azure, data in transit between Azure storage and the vault is protected by HTTPS. This data remains on the Azure backbone network.
+In addition to encryption at rest, all your backup data in transit is transferred over HTTPS. It always remains on the Azure backbone network.
 
 For more information, see [Azure Storage encryption for data at rest](https://docs.microsoft.com/azure/storage/common/storage-service-encryption). Refer to the [Azure Backup FAQ](https://docs.microsoft.com/azure/backup/backup-azure-backup-faq#encryption) to answer any questions that you may have about encryption.
 
-### Encryption of backup data using customer managed keys
+### Encryption of backup data using platform-managed keys
+
+By default, all your data is encrypted using platform-managed keys. You don't need to take any explicit action from your end to enable this encryption and it applies to all workloads being backed up to your Recovery Services vault.
+
+### Encryption of backup data using customer-managed keys
 
-While backing up Azure Virtual Machines, you also have the option to encrypt your backup data in the Recovery Services Vault using your encryption keys stored in the Azure Key Vault.
+When backing up your Azure Virtual Machines, you can now encrypt your data using keys owned and managed by you. Azure Backup lets you use your RSA keys stored in the Azure Key Vault for encrypting your backups. The encryption key used for encrypting backups may be different from the one used for the source. The data is protected using an AES 256 based data encryption key (DEK), which is, in turn, protected using your keys. This gives you full control over the data and the keys. To allow encryption, it's required that the Recovery Services vault be granted access to the encryption key in the Azure Key Vault. You can disable the key or revoke access whenever needed. However, you must enable encryption using your keys before you attempt to protect any items to the vault.
 
 >[!NOTE]
->This feature is currently under early use. Fill out [this survey](https://forms.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR0H3_nezt2RNkpBCUTbWEapURE9TTDRIUEUyNFhNT1lZS1BNVDdZVllHWi4u) if you wish to encrypt your backup data using customer managed keys. Note that the ability to use this feature is subject to approval from the Azure Backup service.
+>This feature is currently in limited availability. Please fill out this survey and email us at azbackupencryption@microsoft.com if you wish to encrypt your backup data using customer managed keys. Note that the ability to use this feature is subject to approval from the Azure Backup service.
 
-### Backup of managed disk VM encrypted using customer managed keys
+### Backup of managed disk VMs encrypted using customer-managed keys
 
-Azure Backup allows you to back up Azure Virtual Machines containing disks encrypted using customer managed keys. For details, refer to [Encryption of managed disks with customer managed keys](https://docs.microsoft.com/azure/virtual-machines/windows/disk-encryption#customer-managed-keys).
+Azure Backup also allows you back up your Azure VMs that use your key for server-side encryption. The key used for encrypting the disks is stored in the Azure Key Vault and managed by you. Server-side encryption using customer-managed keys differs from Azure Disk Encryption, since ADE leverages BitLocker (for Windows) and DM-Crypt (for Linux) to perform in-guest encryption, SSE encrypts data in the storage service, enabling you to use any OS or images for your VMs. Refer to [Encryption of managed disks with customer managed keys](https://docs.microsoft.com/azure/virtual-machines/windows/disk-encryption#customer-managed-keys) for more details.
 
-### Backup of encrypted VMs
+### Backup of VMs encrypted using ADE
 
-You can back up and restore Windows or Linux Azure virtual machines (VMs) with encrypted disks using the Azure Backup service. For instructions, see [Back up and restore encrypted virtual machines with Azure Backup](https://docs.microsoft.com/azure/backup/backup-azure-vms-encryption).
+With Azure Backup, you can also back up your Azure Virtual machines that have their OS or data disks encrypted using Azure Disk Encryption. ADE uses BitLocker for Windows VMs and DM-Crypt for Linux VMs to perform in-guest encryption. For details, see [Back up and restore encrypted virtual machines with Azure Backup](https://docs.microsoft.com/azure/backup/backup-azure-vms-encryption).
 
 ## Private Endpoints
 
@@ -284,7 +286,7 @@ No, it's built and enabled by default for all the recovery services vaults.
 
 #### Can I configure the number of days for which my data will be retained in soft-deleted state after delete operation is complete?
 
-No, it is fixed to 14 days of additional retention after the delete operation.
+No, it's fixed to 14 days of additional retention after the delete operation.
 
 #### Do I need to pay the cost for this additional 14-day retention?
 
@@ -300,19 +302,19 @@ Yes.
 
 #### How can I trigger the scheduled backups again for a soft-deleted resource?
 
-Undelete followed by resume operation will protect the resource again. Resume operation associates a backup policy to trigger the scheduled backups with the selected retention period. Also, the garbage collector runs as soon as the resume operation completes. If you wish to perform a restore from a recovery point that is past its expiry date, you are advised to do it before triggering the resume operation.
+Undelete followed by resume operation will protect the resource again. Resume operation associates a backup policy to trigger the scheduled backups with the selected retention period. Also, the garbage collector runs as soon as the resume operation completes. If you wish to perform a restore from a recovery point that is past its expiry date, you're advised to do it before triggering the resume operation.
 
 #### Can I delete my vault if there are soft deleted items in the vault?
 
-The Recovery Services vault cannot be deleted if there are backup items in soft-deleted state in the vault. The soft-deleted items are permanently deleted 14 days after the delete operation. If you cannot wait for 14 days, then [disable soft delete](#disabling-soft-delete), undelete the soft deleted items, and delete them again to permanently get deleted. After ensuring there are no protected items and no soft deleted items, the vault can be deleted.  
+The Recovery Services vault can't be deleted if there are backup items in soft-deleted state in the vault. The soft-deleted items are permanently deleted 14 days after the delete operation. If you can't wait for 14 days, then [disable soft delete](#disabling-soft-delete), undelete the soft deleted items, and delete them again to permanently get deleted. After ensuring there are no protected items and no soft deleted items, the vault can be deleted.  
 
 #### Can I delete the data earlier than the 14 days soft-delete period after deletion?
 
-No. You cannot force delete the soft-deleted items, they are automatically deleted after 14 days. This security feature is enabled to safeguard the backed-up data from accidental or malicious deletes.  You should wait for 14 day before performing any other action on the VM.  Soft-deleted items will not be charged.  If you need reprotecting the VMs marked for soft-delete within 14 days to a new vault, then contact Microsoft support.
+No. You can't force delete the soft-deleted items, they're automatically deleted after 14 days. This security feature is enabled to safeguard the backed-up data from accidental or malicious deletes.  You should wait for 14 day before performing any other action on the VM.  Soft-deleted items won' be charged.  If you need reprotecting the VMs marked for soft-delete within 14 days to a new vault, then contact Microsoft support.
 
 #### Can soft delete operations be performed in PowerShell or CLI?
 
-Soft delete operations can be performed using [Powershell](#soft-delete-for-vms-using-azure-powershell). Currently, CLI is not supported.
+Soft delete operations can be performed using [PowerShell](#soft-delete-for-vms-using-azure-powershell). Currently, CLI is not supported.
 
 #### Is soft delete supported for other cloud workloads, like SQL Server in Azure VMs and SAP HANA in Azure VMs?