Skip to content

Commit 017274e

Browse files
v-thepetv-thepet
committed
fix one
1 parent 49fe97b commit 017274e

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

  • articles/security/fundamentals

articles/security/fundamentals/iaas.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -143,7 +143,7 @@ Encrypt your virtual hard disks (VHDs) to help protect your boot volume and data
143143
The following best practices help you use encryption at host:
144144

145145
**Best practice**: Enable encryption at host on VMs by default.
146-
**Detail**: Encryption at host is enabled by default for new VMs and provides transparent encryption by using platform-managed keys without requiring extra configuration. If you choose to use customer-managed keys, store them in Azure Key Vault or Azure Key Vault Managed HSM. Microsoft Entra authentication is required for access. For authentication purposes, you can use either client secret-based authentication or [client certificate-based Microsoft Entra authentication](/entra/identity/authentication/active-directory-certificate-based-authentication-get-started.md).
146+
**Detail**: Encryption at host is enabled by default for new VMs and provides transparent encryption by using platform-managed keys without requiring extra configuration. If you choose to use customer-managed keys, store them in Azure Key Vault or Azure Key Vault Managed HSM. Microsoft Entra authentication is required for access. For authentication purposes, you can use either client secret-based authentication or [client certificate-based Microsoft Entra authentication](/entra/identity/authentication/how-to-certificate-based-authentication).
147147

148148
**Best practice**: When using customer-managed keys, use a key encryption key (KEK) for an extra layer of security for encryption keys.
149149
**Detail**: When using customer-managed keys, use the [Add-AzKeyVaultKey](/powershell/module/az.keyvault/add-azkeyvaultkey) cmdlet to create a key encryption key in Azure Key Vault or Managed HSM. You can also import a KEK from your on-premises hardware security module (HSM). For more information, see the [Key Vault documentation](/azure/key-vault/keys/hsm-protected-keys). When you specify a key encryption key, encryption at host uses that key to wrap the encryption secrets. Keeping an escrow copy of this key in an on-premises key management HSM offers extra protection against accidental deletion of keys.

0 commit comments

Comments
 (0)