docs(review): review neda

nerda-codes · web-flow · commit 61eb5f721191 · 2025-05-12T14:45:05.000+02:00
diff --git a/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx b/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx
@@ -1,66 +1,62 @@
 ---
 meta:
   title: Cryptographic details of Scaleway Key Manager
-  description: This document details the cryptographic mechanisms of Scaleway Key Manager with adherence to ANSSI-PA-079 recommendations
+  description: This page describes the cryptographic mechanisms used by Scaleway Key Manager, in accordance with ANSSI-PA-079 recommendations.
 content:
   h1: Cryptographic details of Scaleway Key Manager
-  paragraph: This document details the cryptographic mechanisms of Scaleway Key Manager with adherence to ANSSI-PA-079 recommendations
+  paragraph: This page describes the cryptographic mechanisms used by Scaleway Key Manager, in accordance with ANSSI-PA-079 recommendations.
 tags: key-manager security
+categories:
+  - identity-and-access-management
 dates:
-  validation: 2025-04-30
-  posted: 2025-04-30
+  validation: 2025-05-12
+  posted: 2025-05-12
 ---
 
 ## Cryptographic primitives
 
 ### Random number generation
 
-#### Generating KEKs
+#### Key encryption key (KEK) generation
 
-Scaleway Key Manager uses a **Cryptographically Secure Pseudorandom Number Generator (CSPRNG)**
-to generate both keying material for managed keys and cryptographic unique IVs.
+Scaleway Key Manager uses a **C**ryptographically **S**ecure **P**seudorandom **N**umber **G**enerator (CSPRNG) to generate both keying material for managed keys and cryptographically unique initialization vectors (IVs).
 
-The CSPRNG relies on recent Linux provided ChaCha-based PRNG, which is seeded with high-entropy and unpredictable sources:
- - Timing variations from hardware events
- - True Random Number Generators (TRNGs), such as the `RDSEED`/`RDRAND` instructions on AMD64 family processors
+This CSPRNG is based on the ChaCha-based pseudorandom number generator provided by modern Linux kernels. It is seeded with high-entropy, unpredictable sources, such as:
+
+- Timing variations from hardware events  
+- True Random Number Generators (TRNGs), including the `RDSEED` and `RDRAND` instructions available on AMD64 processors
 
 <Message type="note">
-Conforms to ANSSI-PA-079 R14.
+ Complies with ANSSI-PA-079 Recommendation R14.
 </Message>
 
-<Message type="warning">
-That section does not apply to key imported by users via the Bring Your Own Key (BYOK) mechanism.
+<Message type="important">
+ The information in the section above does not apply to keys imported via the Bring Your Own Key (BYOK) mechanism.
 </Message>
 
 
 #### Customer-provided KEKs (BYOK)
 
-Scaleway's Key Manager supports Bring Your Own Key (BYOK), so customer can import their
-own key material without relying on Scaleway to generate keys for them. In this case,
-the user has the responsibility to provide a strong key material.
+Scaleway Key Manager supports Bring Your Own Key (BYOK), allowing customers to import their own key material. In this model, Scaleway does not generate keys on behalf of the customer. Instead, the responsibility for generating strong key material lies with the user.
 
-The provided material is not used as is. It is derived using the **HKDF algorithm with SHA2-256**
-as the hash algorithm, with secure random bytes injected as salt.
+Imported key material is is not used directly, but processed using the **HKDF algorithm with SHA-256** as the hash function, incorporating secure random bytes as salt.
 
 ### Symmetric encryption
 
-Scaleway Key Manager uses **AES-256-GCM** (AES with 256-bit key in Galois Counter Mode) with
-authenticated associated data (AEAD) to encrypt and decrypt user-provided payload.
-
-To reduce the risk of key overuse, plaintext payloads cannot exceed 64 KiB.
+Scaleway Key Manager uses **AES-256-GCM** (AES with a 256-bit key in Galois/Counter Mode) with authenticated associated data (AEAD) for encrypting and decrypting user payloads.
 
-For each encryption operation, a 96-bit Initialization Vector (IV)
-is generated using the CSPRNG described in the previous section.
+To reduce the risk of key overuse, plaintext payloads are limited to a maximum size of 64 KiB. a unique 96-bit initialization vector (IV) is generated using the CSPRNG described in the section above.
 
 <Message type="note">
-Conforms to ANSSI-PA-079 R1, R4, R12.
+  Complies with ANSSI-PA-079 Recommendations R1, R4, and R12.
 </Message>
 
-<Message type="warning">
-The Key Manager uses AES-256-GCM algorithm internally, but this does not constrain users to the same algorithm for their DEKs.
-We recommend using cryptographic libraries like Tink, which handle DEK management with robust and reviewed algorithms.
-Scaleway provides a Tink integrations for Go and Python, which is the preferred integration method.
- - [Tink Python integration](https://github.com/scaleway/tink-py-scwkms)
- - [Ting Go integration](https://github.com/scaleway/tink-go-scwkms)
+<Message type="important">
+ While Key Manager internally uses AES-256-GCM, this does not restrict users to the same algorithm for their data encryption keys (DEKs).  
+  We recommend using cryptographic libraries like Tink, which handle DEK management with robust and reviewed algorithms.
+  Scaleway provides Tink integrations for Go and Python, which is the preferred integration method.
+  
+   - [Tink Python integration](https://github.com/scaleway/tink-py-scwkms)
+   - [Ting Go integration](https://github.com/scaleway/tink-go-scwkms)
 
 </Message>
