Merge pull request #29207 from rwestMSFT/rw-1130-tde

[SCOPED] TDE is not transparent database encryption

Author: prmerger-automator[bot]

azure-sql/database/security-best-practice.md

@@ -401,7 +401,7 @@ Encryption at rest is the cryptographic protection of data when it is persisted
 
 **How to implement**
 
-- [Transparent Database Encryption (TDE)](transparent-data-encryption-tde-overview.md) with service managed keys are enabled by default for any databases created after 2017 in Azure SQL Database and SQL Managed Instance.
+- [Transparent data encryption (TDE)](transparent-data-encryption-tde-overview.md) with service managed keys are enabled by default for any databases created after 2017 in Azure SQL Database and SQL Managed Instance.
 - In a managed instance, if the database is created from a restore operation using an on-premises server, the TDE setting of the original database will be honored. If the original database doesn't have TDE enabled, we recommend that TDE be manually turned on for the managed instance.
 
 **Best practices**

azure-sql/managed-instance/doc-changes-updates-known-issues.md

@@ -118,7 +118,7 @@ A DNS record of `<name>.database.windows.com` is created when you create a [logi
 
 ### Service Principal can't access Microsoft Entra ID and AKV
 
-In some circumstances, there might exist an issue with Service Principal used to access Microsoft Entra ID ([formerly Azure Active Directory](/azure/active-directory/fundamentals/new-name)) and Azure Key Vault (AKV) services. As a result, this issue impacts usage of Microsoft Entra authentication and Transparent Database Encryption (TDE) with SQL Managed Instance. This might be experienced as an intermittent connectivity issue, or not being able to run statements such are `CREATE LOGIN/USER FROM EXTERNAL PROVIDER` or `EXECUTE AS LOGIN/USER`. Setting up TDE with customer-managed key on a new Azure SQL Managed Instance might also not work in some circumstances.
+In some circumstances, there might exist an issue with Service Principal used to access Microsoft Entra ID ([formerly Azure Active Directory](/azure/active-directory/fundamentals/new-name)) and Azure Key Vault (AKV) services. As a result, this issue impacts usage of Microsoft Entra authentication and transparent data encryption (TDE) with SQL Managed Instance. This might be experienced as an intermittent connectivity issue, or not being able to run statements such are `CREATE LOGIN/USER FROM EXTERNAL PROVIDER` or `EXECUTE AS LOGIN/USER`. Setting up TDE with customer-managed key on a new Azure SQL Managed Instance might also not work in some circumstances.
 
 **Workaround**: To prevent this issue from occurring on your SQL Managed Instance before executing any update commands, or in case you have already experienced this issue after update commands, go to Azure portal, access SQL Managed Instance [Active Directory admin page](../database/authentication-aad-configure.md?tabs=azure-powershell#azure-portal). Verify if you can see the error message "Managed Instance needs a Service Principal to access Microsoft Entra ID. Click here to create a Service Principal". In case you've encountered this error message, select it, and follow the step-by-step instructions provided until this error have been resolved.
 

docs/relational-databases/security/encryption/transparent-data-encryption.md

@@ -77,7 +77,7 @@ The Windows Data Protection API (DPAPI) is at the root of the encryption tree, s
 
 The following illustration shows the architecture of TDE encryption. Only the database-level items (the database encryption key and `ALTER DATABASE` portions) are user-configurable when you use TDE on [!INCLUDE [ssSDS](../../../includes/sssds-md.md)].
 
-:::image type="content" source="media/transparent-data-encryption/tde-architecture.png" alt-text="The Transparent Database Encryption architecture.":::
+:::image type="content" source="media/transparent-data-encryption/tde-architecture.png" alt-text="Diagram showing the transparent data encryption architecture.":::
 
 ## Enable TDE
 

docs/reporting-services/what-s-new-in-sql-server-reporting-services-ssrs.md

@@ -74,9 +74,9 @@ With Azure Active Directory Application Proxy, you no longer need to manage your
 
 Sets header values for all URLs matching the specified regex pattern. Users can update the custom header value with valid XML to set header values for selected request URLs. Admins can add any number of headers in the XML. See [Custom headers](tools/server-properties-advanced-page-reporting-services.md#customheaders) in the **Server Properties Advanced Page** article for details.
 
-### Transparent Database Encryption
+### Transparent data encryption
 
-SQL Server 2019 now supports Transparent Database Encryption for the SSRS catalog database for Enterprise and Standard editions. 
+[!INCLUDE [sssql19-md](../includes/sssql19-md.md)] now supports transparent data encryption (TDE) for the SSRS catalog database, for Enterprise and Standard editions.
 
 ### Microsoft Report Builder update
 

docs/sql-server/editions-and-components-of-sql-server-2019.md

@@ -221,7 +221,7 @@ The Developer edition continues to support only 1 client for [[!INCLUDE[ssNoVers
 | Dynamic data masking | Yes | Yes | Yes | Yes | Yes |
 | Server audit | Yes | Yes | Yes | Yes | Yes |
 | Database audit | Yes | Yes | Yes | Yes | Yes |
-| Transparent Database Encryption (TDE) | Yes | Yes | Yes | No | No |
+| Transparent data encryption (TDE) | Yes | Yes | Yes | No | No |
 | Extensible key management (EKM) | Yes | Yes | No | No | No |
 | User-defined roles | Yes | Yes | Yes | Yes | Yes |
 | Contained databases | Yes | Yes | Yes | Yes | Yes |

docs/sql-server/editions-and-components-of-sql-server-2022.md

@@ -233,7 +233,7 @@ SQL Server 2022 includes features for connecting to [Azure Synapse Analytics](/a
 | Dynamic data masking | Yes | Yes | Yes | Yes | Yes |
 | Server audit | Yes | Yes | Yes | Yes | Yes |
 | Database audit | Yes | Yes | Yes | Yes | Yes |
-| Transparent Database Encryption (TDE) | Yes | Yes | Yes | No | No |
+| Transparent data encryption (TDE) | Yes | Yes | Yes | No | No |
 | Extensible key management (EKM) | Yes | Yes | No | No | No |
 | User-defined roles | Yes | Yes | Yes | Yes | Yes |
 | Contained databases | Yes | Yes | Yes | Yes | Yes |

docs/sql-server/what-s-new-in-sql-server-2019.md

@@ -178,7 +178,7 @@ One common task that everyone who deploys [!INCLUDE [ssNoVersion](../includes/ss
 | :--- | :--- |
 | Online clustered columnstore index build and rebuild | See [Perform Index Operations Online](../relational-databases/indexes/perform-index-operations-online.md). |
 | Resumable online rowstore index build | See [Perform Index Operations Online](../relational-databases/indexes/perform-index-operations-online.md). |
-| Suspend and resume initial scan for Transparent Data Encryption (TDE) | See [Transparent Data Encryption (TDE) scan - suspend and resume](../relational-databases/security/encryption/transparent-data-encryption.md#scan-suspend-resume). |
+| Suspend and resume initial scan for transparent data encryption (TDE) | See [Transparent Data Encryption (TDE) scan - suspend and resume](../relational-databases/security/encryption/transparent-data-encryption.md#scan-suspend-resume). |
 
 ## Platform choice
 
@@ -253,7 +253,7 @@ This release introduces new features to improve file operations.
 
 ## SQL Server Reporting Services
 
-This release of SQL Server Reporting Services features support for Azure SQL Managed Instances, Power BI Premium datasets, enhanced accessibility, Azure Active Directory Application Proxy, and Transparent Database Encryption. It also brings an update to Microsoft Report Builder. See [What's new in SQL Server Reporting Services](../reporting-services/what-s-new-in-sql-server-reporting-services-ssrs.md) for details.
+This release of SQL Server Reporting Services features support for Azure SQL Managed Instances, Power BI Premium datasets, enhanced accessibility, Azure Active Directory Application Proxy, and transparent data encryption (TDE). It also brings an update to Microsoft Report Builder. See [What's new in SQL Server Reporting Services](../reporting-services/what-s-new-in-sql-server-reporting-services-ssrs.md) for details.
 
 ## Related content
 

docs/t-sql/statements/create-database-encryption-key-transact-sql.md

@@ -31,7 +31,7 @@ monikerRange: ">=aps-pdw-2016||>=sql-server-2016||>=sql-server-linux-2017||=azur
 
 [!INCLUDE [sql-asdbmi-pdw](../../includes/applies-to-version/sql-asdbmi-pdw.md)]
 
- Creates an encryption key that is used for transparently encrypting a database. For more information about transparent database encryption, see [Transparent Data Encryption (TDE)](../../relational-databases/security/encryption/transparent-data-encryption.md).  
+ Creates an encryption key that is used for transparently encrypting a database. For more information about transparent data encryption (TDE), see [Transparent Data Encryption (TDE)](../../relational-databases/security/encryption/transparent-data-encryption.md).  
 
 :::image type="icon" source="../../includes/media/topic-link-icon.svg" border="false"::: [Transact-SQL syntax conventions](../../t-sql/language-elements/transact-sql-syntax-conventions-transact-sql.md)  
 
@@ -78,7 +78,7 @@ ENCRYPTION BY SERVER ASYMMETRIC KEY Encryptor_Name
 Specifies the name of the asymmetric key used to encrypt the database encryption key. In order to encrypt the database encryption key with an asymmetric key, the asymmetric key must reside on an extensible key management provider.  
 
 ## Remarks  
-A database encryption key is required before a database can be encrypted by using *Transparent Database Encryption* (TDE). When a database is transparently encrypted, the whole database is encrypted at the file level, without any special code modifications. The certificate or asymmetric key that is used to encrypt the database encryption key must be located in the master system database.
+A database encryption key is required before a database can be encrypted by using transparent data encryption (TDE). When a database is transparently encrypted, the whole database is encrypted at the file level, without any special code modifications. The certificate or asymmetric key that is used to encrypt the database encryption key must be located in the master system database.
 
 Certificates or asymmetric keys used for TDE are limited to a private key size of 3072 bits.