add key rotation and other updates

Author: ekpgh

articles/hpc-cache/customer-keys.md

@@ -4,7 +4,7 @@ description: How to use Azure Key Vault with Azure HPC Cache to control encrypti
 author: ekpgh
 ms.service: hpc-cache
 ms.topic: conceptual
-ms.date: 03/19/2020
+ms.date: 04/06/2020
 ms.author: rohogue
 ---
 
@@ -29,7 +29,7 @@ There are three steps to enable customer-managed key encryption for Azure HPC Ca
 
 Encryption is not completely set up until after you authorize it from the newly created cache (step 3). This is because you must pass the cache's identity to the key vault to make it an authorized user. You can't do this before creating the cache, because the identity does not exist until the cache is created.
 
-After you create the cache, you cannot change between customer-managed keys and Microsoft-managed keys. However, if your cache uses customer-managed keys you can change the encryption key, the key version, and the key vault as needed.
+After you create the cache, you cannot change between customer-managed keys and Microsoft-managed keys. However, if your cache uses customer-managed keys you can [change](#update-key-settings) the encryption key, the key version, and the key vault as needed.
 
 ## Understand key vault and key requirements
 
@@ -41,7 +41,7 @@ Key vault properties:
 * **Region** - The key vault must be in the same region as the Azure HPC Cache.
 * **Pricing tier** - Standard tier is sufficient for use with Azure HPC Cache.
 * **Soft delete** - Azure HPC Cache will enable soft delete if it is not already configured on the key vault.
-* **Purge protection** - Azure HPC Cache will enable purge protection if it is not already active.
+* **Purge protection** - Purge protection must be enabled.
 * **Access policy** - Default settings are sufficient.
 * **Network connectivity** - Azure HPC Cache must be able to access the key vault regardless of the endpoint settings you choose.
 
@@ -107,15 +107,29 @@ The cache shows the status **Waiting for key**. Click the **Enable encryption**
 
 ![screenshot of cache overview page in portal, with a banner message at the top that asks the user to enable encryption by clicking yes](media/draft-enable-keyvault.png)
 
-Click the **Yes** button to authorize the cache to use the encryption key. This action also enables soft-delete and purge protection on the key vault.
+Click the **Yes** button to authorize the cache to use the encryption key. This action also enables soft-delete and purge protection (if not already enabled) on the key vault.<!-- xxx problem? xxx -->
 
 ![screenshot of cache overview page in portal, with a banner message at the top that asks the user to enable encryption by clicking yes](media/draft-enable-keyvault-banner.png)
 
 After the cache requests access to the key vault, it can create and encrypt the disks that store cached data.
 
 After you authorize encryption, Azure HPC Cache goes through several more minutes of setup to create the encrypted disks and related infrastructure.
 
-<!-- add info about rotating keys when it's available -->
+## Update key settings
+
+You can change the key vault, key, or key version for your cache from the Azure portal. Click the cache's **Encryption** settings link to open the **Customer key settings** page. (You cannot change a cache between customer-managed keys and system-managed keys.)
+
+![screenshot of "Customer keys setting" page, reached by clicking Settings > Encryption from the cache overview page in the Azure portal](media/draft-customer-key-settings.png)
+
+Click the **Change key** link to open the key selector.
+
+![screenshot of "select key from Azure Key Vault" page with three drop-down selectors to choose key vault, key, and version](media/draft-select-new-key.png)
+
+Key vaults in the same subscription and same region as this cache are shown in the list.
+
+After you choose the new encryption key values, click **Save**<!--not in screenshot - verify -->. A confirmation page appears with the new values. Click **Save** at the top of the confirmation page to finalize the selection.
+
+![screenshot of confirmation page with Save button at top left](media/draft-save-new-key.png)
 
 ## Read more about customer-managed keys in Azure
 

articles/hpc-cache/hpc-cache-create.md

@@ -18,7 +18,7 @@ Use the Azure portal to create your cache.
 
 ![screenshot of project details page in Azure portal](media/hpc-cache-create-basics.png)
 
-In **Project Details**, select the subscription and resource group that will host the cache. Make sure the subscription is on the [access](hpc-cache-prereqs.md#azure-subscription) list.
+In **Project Details**, select the subscription and resource group that will host the cache.
 
 In **Service Details**, set the cache name and these other attributes:
 

articles/hpc-cache/hpc-cache-overview.md

@@ -62,12 +62,6 @@ The [customer-managed keys feature](customer-keys.md) is supported only in these
 
 Check the [Azure HPC Cache product page](https://azure.microsoft.com/services/hpc-cache) for the latest availability information.
 
-## Service availability
-
-You must request access for each subscription you will use with Azure HPC Cache. This restriction helps ensure service quality in the initial months of general availability.
-
-Request access by filling out [this form](https://aka.ms/onboard-hpc-cache). After your subscription is added to the access list, you can create caches.
-
 ## Next steps
 
 * Read the [Azure HPC Cache product page](https://azure.microsoft.com/services/hpc-cache) to learn more about its capabilities

articles/hpc-cache/hpc-cache-prereqs.md

@@ -16,9 +16,6 @@ Before using the Azure portal to create a new Azure HPC Cache, make sure your en
 
 A paid subscription is recommended.
 
-> [!NOTE]
-> During the first several months of the GA release, the Azure HPC Cache team must add your subscription to the access list before it can be used to create a cache instance. This procedure helps ensure that each customer gets high-quality responsiveness from their caches. Fill out [this form](https://aka.ms/onboard-hpc-cache) to request access.
-
 ## Network infrastructure
 
 Two network-related prerequisites should be set up before you can use your cache: