Merge pull request #33642 from VanMSFT/20250328_reviewPRs

prmerger-automator[bot] · web-flow · commit 3f0acac184bb · 2025-03-28T17:43:24.000Z
Review and update date
diff --git a/azure-sql/database/transparent-data-encryption-byok-overview.md b/azure-sql/database/transparent-data-encryption-byok-overview.md
@@ -5,7 +5,7 @@ description: Bring Your Own Key (BYOK) support for transparent data encryption (
 author: Pietervanhove
 ms.author: pivanho
 ms.reviewer: wiassaf, vanto, mathoma, randolphwest
-ms.date: 02/04/2025
+ms.date: 03/28/2025
 ms.service: azure-sql
 ms.subservice: security
 ms.topic: conceptual
@@ -35,7 +35,7 @@ Managing the TDE protector at the database level in Azure SQL Database is availa
 > [!NOTE]
 > In this article, the terms Customer Managed Key (CMK) and Bring Your Own Key (BYOK) are used interchangeably, but they represent some differences.
 > - **Customer Managed Key (CMK)** - The customer manages the key lifecycle, including key creation, rotation, and deletion. The key is stored in [Azure Key Vault](/azure/key-vault/general/overview) or [Azure Key Vault Managed HSM](/azure/key-vault/managed-hsm/overview) and used for encryption of the Database Encryption Key (DEK) in Azure SQL, SQL Server on Azure VM, and SQL Server on-premises.
-> - **Bring Your Own Key (BYOK)** - The customer securely brings or imports their own key from an on-premises hardware security module (HSM) into Azure Key Vault or Azure Key Vault Managed HSM. Such imported keys may be used as any other key in Azure Key Vault, including as a Customer Managed Key for encryption of the DEK. For more information, see  [Import HSM-protected keys to Managed HSM (BYOK)](/azure/key-vault/managed-hsm/hsm-protected-keys-byok).
+> - **Bring Your Own Key (BYOK)** - The customer securely brings or imports their own key from an on-premises hardware security module (HSM) into Azure Key Vault or Azure Key Vault Managed HSM. Such imported keys might be used as any other key in Azure Key Vault, including as a Customer Managed Key for encryption of the DEK. For more information, see  [Import HSM-protected keys to Managed HSM (BYOK)](/azure/key-vault/managed-hsm/hsm-protected-keys-byok).
 
 Customer-managed TDE provides the following benefits to the customer:
 
@@ -106,7 +106,7 @@ Auditors can use Azure Monitor to review key vault AuditEvent logs, if logging i
 
 ### Requirements for configuring TDE protector
 
-- TDE protector can only be an asymmetric, RSA, or RSA HSM key. The supported key lengths are 2048 bits and 3072 bits.
+- TDE protector can only be an asymmetric, RSA, or RSA HSM key. The supported key lengths are 2,048 bits and 3,072 bits.
 
 - The key activation date (if set) must be a date and time in the past. Expiration date (if set) must be a future date and time.
 
@@ -244,7 +244,7 @@ Once a database is encrypted with TDE using a key from Key Vault, any newly gene
 To restore a backup encrypted with a TDE protector from Key Vault, make sure that the key material is available to the target server. Therefore, we recommend that you keep all the old versions of the TDE protector in key vault, so database backups can be restored.
 
 > [!IMPORTANT]  
-> At any moment there can be not more than one TDE protector set for a server. It's the key marked with "Make the key the default TDE protector" in the Azure portal pane. However, multiple additional keys can be linked to a server without marking them as a TDE protector. These keys aren't used for protecting DEK, but can be used during restore from a backup, if backup file is encrypted with the key with the corresponding thumbprint.
+> There can't be more than one TDE protector set for a server at any moment. The key marked with **Make the key the default TDE protector** in the Azure portal pane is the TDE protector. However, multiple keys can be linked to a server without marking them as a TDE protector. These keys aren't used for protecting the DEK, but can be used during restore from a backup, if the backup file is encrypted with the key with the corresponding thumbprint.
 
 If the key that is needed for restoring a backup is no longer available to the target server, the following error message is returned on the restore try:
 "Target server `<Servername>` doesn't have access to all AKV URIs created between \<Timestamp #1> and \<Timestamp #2>. Retry operation after restoring all AKV URIs."
diff --git a/docs/relational-databases/security/encryption/always-encrypted-enclaves-provision-keys.md b/docs/relational-databases/security/encryption/always-encrypted-enclaves-provision-keys.md
@@ -4,7 +4,7 @@ description: "Provision enclave-enabled keys"
 author: PieterVanhove
 ms.author: pivanho
 ms.reviewer: vanto
-ms.date: 04/05/2023
+ms.date: 03/28/2025
 ms.service: sql
 ms.subservice: security
 ms.custom: devx-track-azurepowershell
@@ -25,7 +25,7 @@ The tool will also digitally sign the column master properties with the column m
 The `ENCLAVE_COMPUTATIONS` is immutable, meaning, you can't change it once you define the column master key in the metadata. To enable enclave computations using a column encryption key, that a given column master key encrypts, you need to rotate the column master key and replace it with an enclave-enabled column master key. See [Rotate enclave-enabled keys](always-encrypted-enclaves-rotate-keys.md).
 
 > [!NOTE]
-> Currently, both SSMS and PowerShell support enclave-enabled column master keys stored in Azure Key Vault or Windows Certificate Store. Hardware security modules (using CNG or CAPI) are not supported.
+> Currently, both SSMS and PowerShell support enclave-enabled column master keys stored in Azure Key Vault or Windows Certificate Store. Hardware security modules (using CNG or CAPI) aren't supported.
 
 To create an enclave-enabled column encryption key, you need to ensure that you select an enclave-enabled column master key to encrypt the new key. 
 
@@ -49,14 +49,14 @@ To provision an enclave-enabled column master key, follow the steps in [Provisio
 ![Allow enclave computations](./media/always-encrypted-enclaves/allow-enclave-computations.png)
 
 > [!NOTE]
-> The **Allow enclave computations** checkbox appears only if a secure enclave is  configured for your database. If you are using [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)], see [Configure the secure enclave in SQL Server](always-encrypted-enclaves-configure-enclave-type.md). If you are using [!INCLUDE [ssazure-sqldb](../../../includes/ssazure-sqldb.md)], see [Enable Always Encrypted with secure enclaves for your Azure SQL Database](/azure/azure-sql/database/always-encrypted-enclaves-enable).
+> The **Allow enclave computations** checkbox appears only if a secure enclave is  configured for your database. If you're using [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)], see [Configure the secure enclave in SQL Server](always-encrypted-enclaves-configure-enclave-type.md). If you're using [!INCLUDE [ssazure-sqldb](../../../includes/ssazure-sqldb.md)], see [Enable Always Encrypted with secure enclaves for your Azure SQL Database](/azure/azure-sql/database/always-encrypted-enclaves-enable).
 
 > [!TIP]
 > To check if a column master key is enclave-enabled, right-click on it in Object Explorer and select **Properties**. If the key is enclave-enabled, **Enclave Computations: Allowed** appears in the window showing the properties of the key. Alternatively, you can use the [sys.column_master_keys (Transact-SQL)](../../system-catalog-views/sys-column-master-keys-transact-sql.md) view.
 
 ### Provision enclave-enabled column encryption keys with the New Column Encryption Key dialog
 
-To provision an enclave-enabled column encryption key, follow the steps in [Provision Column Encryption Keys with the New Column Encryption Key Dialog](configure-always-encrypted-keys-using-ssms.md#provision-column-encryption-keys-with-the-new-column-encryption-key-dialog). When selecting a column master key, make sure it is enclave-enabled.
+To provision an enclave-enabled column encryption key, follow the steps in [Provision Column Encryption Keys with the New Column Encryption Key Dialog](configure-always-encrypted-keys-using-ssms.md#provision-column-encryption-keys-with-the-new-column-encryption-key-dialog). When selecting a column master key, make sure it's enclave-enabled.
 
 > [!TIP]
 > To check if a column encryption key is enclave-enabled, right-click on it in Object Explorer and select **Properties**. If the key is enclave-enabled, **Enclave Computations: Allowed** appears in the window showing the properties of the key.
@@ -72,7 +72,7 @@ The SqlServer PowerShell module extends the  [**New-SqlCertificateStoreColumnMas
 Provisioning enclave-enabled column encryption keys is no different from provisioning column encryption keys that aren't enclave-enabled. You just need to make sure that a column master key used to encrypt the new column encryption key is enclave-enabled.
 
 > [!NOTE]
-> The SqlServer PowerShell module does not currently support provisioning enclave-enabled keys stored in hardware security modules (using CNG or CAPI).
+> The SqlServer PowerShell module doesn't currently support provisioning enclave-enabled keys stored in hardware security modules (using CNG or CAPI).
 
 ### Example - provision enclave-enabled keys using Windows Certificate Store
 
@@ -150,15 +150,12 @@ $cekName = "CEK1"
 New-SqlColumnEncryptionKey -Name $cekName -InputObject $database -ColumnMasterKey $cmkName -KeyVaultAccessToken $keyVaultAccessToken
 ```
 
-## Next steps
+## Related content
 
 - [Run Transact-SQL statements using secure enclaves](always-encrypted-enclaves-query-columns.md)
 - [Configure column encryption in-place using Always Encrypted with secure enclaves](always-encrypted-enclaves-configure-encryption.md)
 - [Enable Always Encrypted with secure enclaves for existing encrypted columns](always-encrypted-enclaves-enable-for-encrypted-columns.md)
 - [Develop applications using Always Encrypted with secure enclaves](always-encrypted-enclaves-client-development.md)
-
-## See also
-
 - [Getting started using Always Encrypted with secure enclaves](/azure/azure-sql/database/always-encrypted-enclaves-getting-started)
 - [Manage keys for Always Encrypted with secure enclaves](always-encrypted-enclaves-manage-keys.md)
 - [CREATE COLUMN MASTER KEY (Transact-SQL)](../../../t-sql/statements/create-column-master-key-transact-sql.md)
diff --git a/docs/relational-databases/security/encryption/always-encrypted-enclaves.md b/docs/relational-databases/security/encryption/always-encrypted-enclaves.md
@@ -4,7 +4,7 @@ description: Learn about the Always Encrypted with secure enclaves feature for S
 author: Pietervanhove
 ms.author: pivanho
 ms.reviewer: vanto
-ms.date: 02/03/2025
+ms.date: 03/28/2025
 ms.service: sql
 ms.subservice: security
 ms.topic: conceptual
@@ -143,7 +143,7 @@ The operations supported inside the secure enclaves are:
 | [SELECT - GROUP BY- Transact-SQL](../../../t-sql/queries/select-group-by-transact-sql.md) | Supported | Supported | Not supported |
 
 > [!NOTE]  
-> The above operations inside secure enclaves require randomized encryption. Deterministic encryption is not supported. Equality comparison remains the operation available for columns using deterministic encryption.
+> The above operations inside secure enclaves require randomized encryption. Deterministic encryption isn't supported. Equality comparison remains the operation available for columns using deterministic encryption.
 >
 > The [compatibility level](../../../t-sql/statements/alter-database-transact-sql-compatibility-level.md) of the database should be set to SQL Server 2022 (160) or higher.
 >
diff --git a/docs/relational-databases/security/encryption/configure-always-encrypted-using-powershell.md b/docs/relational-databases/security/encryption/configure-always-encrypted-using-powershell.md
@@ -4,7 +4,7 @@ description: Learn how to import and use the SqlServer PowerShell module, which
 author: Pietervanhove
 ms.author: pivanho
 ms.reviewer: vanto
-ms.date: 04/05/2023
+ms.date: 03/28/2025
 ms.service: sql
 ms.subservice: security
 ms.topic: how-to
@@ -17,11 +17,11 @@ The SqlServer PowerShell module provides cmdlets for configuring [Always Encrypt
 
 ## Security Considerations when using PowerShell to Configure Always Encrypted
 
-Because the primary goal of Always Encrypted is to ensure encrypted sensitive data is safe, even if the database system gets compromised, executing a PowerShell script that processes keys or sensitive data on the SQL Server computer can reduce or defeat the benefits of the feature. For additional security-related recommendations, see [Security Considerations for Key Management](overview-of-key-management-for-always-encrypted.md#security-considerations-for-key-management).
+Because the primary goal of Always Encrypted is to ensure encrypted sensitive data is safe, even if the database system gets compromised, executing a PowerShell script that processes keys or sensitive data on the SQL Server computer can reduce or defeat the benefits of the feature. For more security-related recommendations, see [Security Considerations for Key Management](overview-of-key-management-for-always-encrypted.md#security-considerations-for-key-management).
 
 You can use PowerShell to manage Always Encrypted keys both with and without role separation, providing control over who has access to the actual encryption keys in the key store, and who has access to the database.
 
- For additional recommendations, see [Security Considerations for Key Management](overview-of-key-management-for-always-encrypted.md#security-considerations-for-key-management).
+ For more recommendations, see [Security Considerations for Key Management](overview-of-key-management-for-always-encrypted.md#security-considerations-for-key-management).
 
 ## Prerequisites
 
@@ -76,10 +76,11 @@ $database | Get-SqlColumnMasterKey
 ```
 
 ### Using SQL Server PowerShell Provider
-The [SQL Server PowerShell Provider](/powershell/sql-server/sql-server-powershell-provider) exposes the hierarchy of SQL Server objects in paths similar to file system paths. With SQL Server PowerShell, you can navigate the paths using Windows PowerShell aliases similar to the commands you typically use to navigate file system paths. Once you navigate to the target instance and the database, the subsequent cmdlets target that database, as shown in the following example. 
+
+The [SQL Server PowerShell Provider](/powershell/sql-server/sql-server-powershell-provider) exposes the hierarchy of SQL Server objects in paths similar to file system paths. With SQL Server PowerShell, you can navigate the paths using Windows PowerShell aliases similar to the commands you typically use to navigate file system paths. Once you navigate to the target instance and the database, the subsequent cmdlets target that database, as shown in the following example.
 
 > [!NOTE]
-> This method of connecting to a database works only for SQL Server (it is not supported in Azure SQL Database).
+> This method of connecting to a database works only for SQL Server (it isn't supported in Azure SQL Database).
 
 ```PowerShell
 # Import the SqlServer module.
@@ -135,7 +136,7 @@ The following PowerShell cmdlets are available for Always Encrypted:
 
 
 
-## See Also
+## Related content
 
 - [Always Encrypted](../../../relational-databases/security/encryption/always-encrypted-database-engine.md)
 - [Overview of key management for Always Encrypted](../../../relational-databases/security/encryption/overview-of-key-management-for-always-encrypted.md)
