updates

v-albemi · v-albemi · commit f5a4d9f72322 · 2025-07-11T09:25:29.000-07:00
diff --git a/articles/devtest-labs/encrypt-disks-customer-managed-keys.md b/articles/devtest-labs/encrypt-disks-customer-managed-keys.md
@@ -1,81 +1,85 @@
 ---
-title: Encrypt Disks by Using Customer-Managed Keys
-description: Learn how to encrypt disks by using customer-managed keys in Azure DevTest Labs. 
+title: Encrypt Disks with Customer-Managed Keys
+description: Learn how to manage disk encryption by using customer-managed keys in Azure DevTest Labs. 
 ms.topic: how-to
 ms.author: rosemalcolm
 author: RoseHJM
 ms.date: 07/11/2025
 ms.custom: subject-rbac-steps, UpdateFrequency2
 
-#customer intent:
+#customer intent: As a lab owner, I want to use customer-managed keys to manage disk encryption so that I can manage access control with more flexibility.  
 ---
 
-# Encrypt disks by using customer-managed keys in Azure DevTest Labs
+# Encrypt disks with customer-managed keys in Azure DevTest Labs
 
-Server-side encryption (SSE) protects your data and helps you meet your organizational security and compliance commitments. SSE automatically encrypts your data stored on managed disks in Azure (OS and data disks) at rest by default when persisting it to the cloud. Learn more about [Disk Encryption](/azure/virtual-machines/disk-encryption) on Azure. 
+Server-side encryption (SSE) protects your data and helps you meet your organizational security and compliance commitments. SSE automatically encrypts data stored on managed disks in Azure (OS and data disks) at rest by default when it's persisted to the cloud. For more information about disk encryption on Azure, see [disk encryption](/azure/virtual-machines/disk-encryption). 
 
-Within DevTest Labs, all OS disks and data disks created as part of a lab are encrypted using platform-managed keys. However, as a lab owner you can choose to encrypt lab virtual machine disks using your own keys. If you choose to manage encryption with your own keys, you can specify a **customer-managed key** to use for encrypting data in lab disks. To learn more on Server-side encryption (SSE) with customer-managed keys, and other managed disk encryption types, see [Customer-managed keys](/azure/virtual-machines/disk-encryption#customer-managed-keys). Also, see [restrictions with using customer-managed keys](/azure/virtual-machines/disks-enable-customer-managed-keys-portal#restrictions).
+In Azure DevTest Labs, all OS disks and data disks created in a lab are encrypted via platform-managed keys. However, as a lab owner, you can choose to manage the encryption of lab virtual machine disks by using your own keys. If you choose to manage encryption by using your own keys, you can specify a *customer-managed key* to use for encrypting data in lab disks. To learn more about SSE with customer-managed keys, and other managed disk encryption types, see [Customer-managed keys](/azure/virtual-machines/disk-encryption#customer-managed-keys). Also, see [restrictions with using customer-managed keys](/azure/virtual-machines/disks-enable-customer-managed-keys-portal#restrictions).
 
 > [!NOTE]
-> - The setting applies to newly created disks in the lab. If you choose to change the disk encryption set at some point, older disks in the lab will continue to remain encrypted using the previous disk encryption set. 
+> - The disk encryption setting applies to newly created disks in the lab. If you change the disk encryption set at some point, older disks in the lab will continue to be encrypted with the previous disk encryption set. 
 
-The following section shows how a lab owner can set up encryption using a customer-managed key.
+The following section shows how a lab owner can set up encryption with a customer-managed key.
 
-## Pre-requisites
+## Prerequisites
 
-1. If you don’t have a disk encryption set, follow this article to [set up a Key Vault and a Disk Encryption Set](/azure/virtual-machines/disks-enable-customer-managed-keys-portal). Note the following requirements for the disk encryption set: 
+- If you don't have a disk encryption set, complete the steps in this article to [set up a key vault and a disk encryption set](/azure/virtual-machines/disks-enable-customer-managed-keys-portal). Note the following requirements for the disk encryption set: 
 
-    - The disk encryption set needs to be **in same region and subscription as your lab**. 
-    - Ensure you (lab owner) have at least a **reader-level access** to the disk encryption set that will be used to encrypt lab disks. 
-1. For labs created prior to 8/1/2020, lab owner will need to ensure lab system assigned identity is enabled. To do so, lab owner can go to their lab, click on **Configuration and policies**, click on **Identity (Preview)** blade, change System Assigned identity **Status** to **On** and click on **Save**. For new labs created after 8/1/2020 lab's system assigned identity will be enabled by default. 
+    - The disk encryption set needs to be in same region and subscription as your lab. 
+    - The lab owner needs to have at least reader-level access to the disk encryption set that will be used to encrypt lab disks. 
+
+- For labs created before 8/1/2020, the lab owner needs to ensure that lab system-assigned identity is enabled. To do so, the lab owner can go to the lab, select **Configuration and policies**, select **Identity (Preview)** in the left menu, change the system-assigned identity **Status** to **On**, and then select **Save**. For labs created after 8/1/2020, the system-assigned identity is enabled by default. 
 
     > [!div class="mx-imgBorder"]
-    > :::image type="content" source="./media/encrypt-disks-customer-managed-keys/managed-keys.png" alt-text="Managed keys":::
-1. For the lab to handle encryption for all the lab disks, lab owner needs to explicitly grant the lab’s **system-assigned identity** reader role on the disk encryption set as well as virtual machine contributor role on the underlying Azure subscription. The lab owner can do so by completing the following steps:
+    > :::image type="content" source="./media/encrypt-disks-customer-managed-keys/managed-keys.png" alt-text="Screenshot that shows the steps for enabling system-assigned identity." lightbox="./media/encrypt-disks-customer-managed-keys/managed-keys.png":::
+
+- For the lab to handle encryption for all lab disks, the lab owner needs to explicitly grant the lab's system-assigned identity reader role on the disk encryption set and the virtual machine contributor role on the underlying Azure subscription. The lab owner can do that by completing the following steps:
 
-    1. Ensure you are a member of [User Access Administrator role](../role-based-access-control/built-in-roles.md#user-access-administrator) at the Azure subscription level so that you can manage user access to Azure resources.
+    1. Ensure that you're a member of the [User Access Administrator role](../role-based-access-control/built-in-roles.md#user-access-administrator) at the Azure-subscription level so that you can manage user access to Azure resources.
 
-    1. On the **Disk Encryption Set** page, assign at least the Reader role to the lab name for which the disk encryption set will be used.
+    1. On the **Disk Encryption Set** page, assign at least the Reader role to the lab for which the disk encryption set will be used.
 
        For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.yml).
 
-    1. Navigate to the **Subscription** page in the Azure portal.
+    1. Go to the **Subscription** page in the Azure portal.
 
-    1. Assign the Virtual Machine Contributor role to the lab name (system-assigned identity for the lab).
+    1. Assign the Virtual Machine Contributor role to the lab (system-assigned identity for the lab).
 
 ## Encrypt lab OS disks with a customer-managed key 
 
-1. On the home page for your lab in the Azure portal, select **Configuration and policies** on the left menu. 
+1. On the overview page for your lab in the Azure portal, select **Configuration and policies** in the left menu. 
 1. On the **Configuration and policies** page, select **Disks (Preview)** in the **Encryption** section. By default, **Encryption type** is set to **Encryption at-rest with a platform managed key**.
 
-    :::image type="content" source="./media/encrypt-disks-customer-managed-keys/disks-page.png" alt-text="Disks tab of Configuration and policies page":::
-1. For **Encryption type**, select **Encryption at-rest with a customer managed key** from drop-down list. 
+    :::image type="content" source="./media/encrypt-disks-customer-managed-keys/disks-page.png" alt-text="Screenshot that shows the Disks pane in Configuration and policies." lightbox="./media/encrypt-disks-customer-managed-keys/disks-page.png":::
+
+1. Under **Encryption type**, select **Encryption at-rest with a customer managed key**. 
 1. For **Disk encryption set**, select the disk encryption set you created earlier. It's the same disk encryption set that the system-assigned identity of the lab can access.
-1. Select **Save** on the toolbar. 
+1. Select **Save** at the top of the pane. 
+
+    :::image type="content" source="./media/encrypt-disks-customer-managed-keys/disk-encryption-set.png" alt-text="Screenshot that shows the steps to complete in Configuration and policies." lightbox="./media/encrypt-disks-customer-managed-keys/disk-encryption-set.png":::
 
-    :::image type="content" source="./media/encrypt-disks-customer-managed-keys/disk-encryption-set.png" alt-text="Enable encryption with customer-managed key":::
-1. On the message box with the following text: *This setting will apply to newly created machines in the lab. Old OS disk will remain encrypted with the old disk encryption set*, select **OK**. 
+1. A message box appears with the following message: *This setting will apply to newly created machines in the lab. Old OS disk will remain encrypted with the old disk encryption set*. Select **OK**. 
 
-    Once configured, lab disks will be encrypted with the customer-managed key provided using the disk encryption set. 
+    After this configuration, lab disks are encrypted with the customer-managed key provided in the disk encryption set. 
    
-## How to validate if disks are being encrypted
+## How to validate that disks are being encrypted
 
-1. Go to a lab virtual machine created after enabling disk encryption with a customer managed key on the lab.
+1. Go to a lab virtual machine that you created after enabling disk encryption with a customer-managed key on the lab.
 
     > [!div class="mx-imgBorder"]
-    > :::image type="content" source="./media/encrypt-disks-customer-managed-keys/enabled-encryption-vm.png" alt-text="VM with enabled disk encryption":::
-1. Click on the resource group of the VM and click on the OS Disk.
+    > :::image type="content" source="./media/encrypt-disks-customer-managed-keys/enabled-encryption-vm.png" alt-text="Screenshot that shows a VM with disk encryption enabled." lightbox="./media/encrypt-disks-customer-managed-keys/enabled-encryption-vm.png":::
+
+1. Select the resource group of the VM and then select the OS disk.
 
     > [!div class="mx-imgBorder"]
-    > :::image type="content" source="./media/encrypt-disks-customer-managed-keys/vm-resource-group.png" alt-text="VM resource group":::
-1. Go to Encryption and validate if encryption is set to customer managed key with the Disk Encryption Set you selected.
+    > :::image type="content" source="./media/encrypt-disks-customer-managed-keys/vm-resource-group.png" alt-text="Screenshot that shows the VM in its resource group." lightbox="./media/encrypt-disks-customer-managed-keys/vm-resource-group.png":::
+
+1. In the left pane, select **Encryption**. Validate that encryption is set to customer-managed key with the disk encryption set that you selected.
 
     > [!div class="mx-imgBorder"]
-    > :::image type="content" source="./media/encrypt-disks-customer-managed-keys/validate-encryption.png" alt-text="Validate encryption":::
+    > :::image type="content" source="./media/encrypt-disks-customer-managed-keys/validate-encryption.png" alt-text="Screenshot that shows the encryption type of the VM.":::
   
 ## Related content
 
-See the following articles: 
-
-- [Azure Disk Encryption](/azure/virtual-machines/disk-encryption). 
+- [Azure disk encryption](/azure/virtual-machines/disk-encryption) 
 - [Customer-managed keys](/azure/virtual-machines/disk-encryption#customer-managed-keys)
