Merge pull request #292090 from linuxelf001/patch-33

JamesJBarnett · web-flow · commit f39b5485e825 · 2025-01-08T11:01:49.000-07:00
Update confidential-vm-faq.yml
diff --git a/articles/confidential-computing/confidential-vm-faq.yml b/articles/confidential-computing/confidential-vm-faq.yml
@@ -132,6 +132,16 @@ sections:
         answer: |
           No. After you've created a confidential VM, you can't deactivate or reactivate full-disk encryption. Create a new confidential VM instead.
 
+      - question: |
+          Is it possible to switch between Platform-managed keys and Customer-managed keys after a VM has been created?
+        answer: |
+          No, the choice of key management (Platform-managed or Customer-managed) is only available during VM creation and cannot be changed afterward.          
+
+      - question: |
+          Can I use a Customer-managed key if I don't enable full-disk encryption for the OS disk?
+        answer: |
+          No, if a Confidential VM is created without full-disk encryption of the OS disk, a Customer-managed key cannot be used. In this case, the VMGS disk, which is always encrypted, will be encrypted using a Platform-managed key (PMK). 
+      
       - question: |
           Can I control more aspects of the Trusted Computing Base to enforce operator independent key management, attestation, and disk encryption?
         answer: |
