Learn Editor: Update workspaces-encryption.md

dialmoth · dialmoth · commit d7702698f80b · 2024-07-28T18:37:28.000+03:00
diff --git a/articles/synapse-analytics/security/workspaces-encryption.md b/articles/synapse-analytics/security/workspaces-encryption.md
@@ -88,7 +88,11 @@ You can change the customer-managed key used to encrypt data from the **Encrypti
 :::image type="content" source="./media/workspaces-encryption/workspace-encryption-management.png" alt-text="This diagram shows the workspace Encryption section in the Azure portal." lightbox="./media/workspaces-encryption/workspace-encryption-management.png":::
 
 >[!IMPORTANT]
->When changing the encryption key of a workspace, retain the key until you replace it in the workspace with a new key. This is  to allow decryption of data with the old key before it gets re-encrypted with the new key.
+>- When changing the encryption key of a workspace, retain the key until you replace it in the workspace with a new key. This is  to allow decryption of data with the old key before it gets re-encrypted with the new key.
+>- The state of the SQL pool (i.e. Online, Offline) does not affect the workspace customer managed key (CMK) rotation process. However, SQL pools that are offline during the CMK rotation will remain encrypted with the older key or key version. Upon resuming these pools, the old key or key version must be enabled and have an expiration date set in the future to allow decryption and subsequent re-encryption with the new key or key version. If the old key or key version is disabled or expired, the pools will not resume as decryption is not possible.
+>- To ensure a smooth CMK rotation, if some SQL pools are offline during the process, the old key or key version should remain enabled and have its expiration date set in the future. This is crucial until the offline pools are successfully resumed and re-encrypted with the new key or key version.
+>- It is highly recommended not to delete old keys or key versions, as they may still be needed to decrypt older backups. Instead, after all SQL pools have been re-encrypted with the new key or key version, disable the old key or key version. This ensures the old key or key version remains available for decrypting older backups if necessary.
+
 
 Azure Key Vaults policies for automatic, periodic rotation of keys, or actions on the keys can result in the creation of new key versions. You can choose to re-encrypt all the data in the workspace with the latest version of the active key. To-re-encrypt, change the key in the Azure portal to a temporary key and then switch back to the key you wish to use for encryption. As an example, to update data encryption using the latest version of active key Key1, change the workspace customer-managed key to temporary key, Key2. Wait for encryption with Key2 to finish. Then switch the workspace customer-managed key back to Key1-data in the workspace will be re-encrypted with the latest version of Key1.
 
