Second pass: fix fact-check issues, restore incorrectly removed services

- Revert: restore CMK to AKV Standard use cases (technically supported)
- Revert: restore StorSimple, Content Moderator, Personalizer (not retired)
- Remove PostgreSQL Single Server (retired March 2025)
- Remove blanket FIPS 140-3 Level 3 claims (oversimplified Platform 1 vs 2)
- Fix encryption-overview.md: 'Microsoft never sees your keys' overstates KV isolation
- Soften compliance language to 'requirements that mandate HSM-protected keys'
- Move double-encryption independence sentence after bullet list

Co-authored-by: Copilot <[email protected]>

Author: msmbaldwin

articles/security/fundamentals/double-encryption.md

@@ -23,9 +23,11 @@ Azure provides double encryption for data at rest and data in transit.
 ## Data at rest
 Microsoft’s approach to enabling two layers of encryption for data at rest is:
 
-- **Encryption at rest using customer-managed keys**. You provide your own key for data encryption at rest. You can bring your own keys to your Key Vault (BYOK – Bring Your Own Key), or generate new keys in Azure Key Vault to encrypt the desired resources. These two layers use separate keys from independent key hierarchies, managed by different operators — you control the service-level key while Microsoft controls the infrastructure-level key.
+- **Encryption at rest using customer-managed keys**. You provide your own key for data encryption at rest. You can bring your own keys to your Key Vault (BYOK – Bring Your Own Key), or generate new keys in Azure Key Vault to encrypt the desired resources.
 - **Infrastructure encryption using platform-managed keys**.  By default, data is automatically encrypted at rest using platform-managed encryption keys.
 
+These two layers use separate keys from independent key hierarchies, managed by different operators — you control the service-level key while Microsoft controls the infrastructure-level key.
+
 ## Data in transit
 Microsoft’s approach to enabling two layers of encryption for data in transit is:
 

articles/security/fundamentals/encryption-atrest.md

@@ -64,7 +64,7 @@ As described previously, the goal of encryption at rest is that data persisted o
 
 ### Azure Key Vault
 
-The storage location of the encryption keys and access control to those keys is central to an encryption at rest model. You need to highly secure the keys but make them manageable by specified users and available to specific services. For Azure services, Azure Key Vault (Premium tier) or Azure Managed HSM is the recommended key storage solution and provides a common management experience across services. Both are validated to FIPS 140-3 Level 3 for HSM-backed key protection. You store and manage keys in key vaults, and you can give users or services access to a key vault. Azure Key Vault supports customer creation of keys or import of customer keys for use in customer-managed encryption key scenarios.
+The storage location of the encryption keys and access control to those keys is central to an encryption at rest model. You need to highly secure the keys but make them manageable by specified users and available to specific services. For Azure services, Azure Key Vault (Premium tier) or Azure Managed HSM is the recommended key storage solution and provides a common management experience across services. You store and manage keys in key vaults, and you can give users or services access to a key vault. Azure Key Vault supports customer creation of keys or import of customer keys for use in customer-managed encryption key scenarios.
 
 ### Microsoft Entra ID
 

articles/security/fundamentals/encryption-customer-managed-keys-support.md

@@ -11,7 +11,7 @@ ms.topic: article
 
 # Services that support customer managed keys (CMKs) in Azure Key Vault and Azure Managed HSM
 
-Customer-managed keys (CMK) is a key management control model in which you own and manage the key encryption key (KEK) in your own [Azure Key Vault](/azure/key-vault/) or [Azure Managed HSM](/azure/key-vault/managed-hsm/) instance. Azure services use your KEK to wrap and unwrap their data encryption keys through envelope encryption. For HSM-protected keys, use Azure Key Vault Premium tier or Azure Managed HSM, both validated to FIPS 140-3 Level 3.
+Customer-managed keys (CMK) is a key management control model in which you own and manage the key encryption key (KEK) in your own [Azure Key Vault](/azure/key-vault/) or [Azure Managed HSM](/azure/key-vault/managed-hsm/) instance. Azure services use your KEK to wrap and unwrap their data encryption keys through envelope encryption. For HSM-protected keys, use Azure Key Vault Premium tier or Azure Managed HSM.
 
 The following services support server-side encryption with customer managed keys. For implementation details, see the service-specific documentation or the service's [Microsoft Cloud Security Benchmark: security baseline](/security/benchmark/azure/security-baselines-overview) (section DP-5).
 
@@ -29,9 +29,11 @@ The following services support server-side encryption with customer managed keys
 | [Azure Health Bot](/azure/health-bot/) | Yes | | [Configure customer-managed keys (CMK) for Azure Health Bot](/azure/health-bot/cmk) |
 | [Azure Machine Learning](/azure/machine-learning/) | Yes | | [Customer-managed keys for workspace encryption in Azure Machine Learning](/azure/machine-learning/concept-customer-managed-keys) |
 | [Azure OpenAI](/azure/ai-services/openai/) | Yes | Yes | [Azure OpenAI Service encryption of data at rest](/azure/ai-services/openai/encrypt-data-at-rest) |
+| [Content Moderator](/azure/ai-services/content-moderator/) | Yes | Yes | [Content Moderator encryption of data at rest](/azure/ai-services/content-moderator/encrypt-data-at-rest) |
 | [Dataverse](/powerapps/maker/data-platform/) | Yes | Yes | [Customer-managed keys in Dataverse](/power-platform/admin/customer-managed-key) |
 | [Dynamics 365](/dynamics365/) | Yes | Yes | [Customer-managed keys for encryption](/dynamics365/fin-ops-core/dev-itpro/sysadmin/customer-managed-keys) |
 | [Azure AI Face](/azure/ai-services/computer-vision/overview-identity) | Yes | Yes | [Face service encryption of data at rest](/azure/ai-services/computer-vision/identity-encrypt-data-at-rest) |
+| [Personalizer](/azure/ai-services/personalizer/) | Yes | Yes | [Encryption of data at rest in Personalizer](/azure/ai-services/personalizer/encrypt-data-at-rest) |
 | [Power Platform](/power-platform/) | Yes | Yes | [Customer-managed keys in Power Platform](/power-platform/admin/customer-managed-key) |
 | [Custom question answering](/azure/ai-services/language-service/question-answering/overview) | Yes | | [Custom question answering encryption of data at rest](/azure/ai-services/language-service/question-answering/how-to/encrypt-data-at-rest) |
 | [Azure Speech in Foundry Tools](/azure/ai-services/speech-service/) | Yes | Yes | [Speech service encryption of data at rest](/azure/ai-services/speech-service/speech-encryption-of-data-at-rest) |
@@ -88,7 +90,6 @@ The following services support server-side encryption with customer managed keys
 | [Azure Cosmos DB for MongoDB vCore](/azure/cosmos-db/mongodb/vcore/) | Yes | | [Configure customer-managed keys for Azure Cosmos DB for MongoDB vCore](/azure/cosmos-db/mongodb/vcore/how-to-data-encryption) |
 | [Azure Database for MySQL - Flexible Server](/azure/mysql/flexible-server/) | Yes | Yes | [Data encryption with customer-managed keys in Azure Database for MySQL - Flexible Server](/azure/mysql/flexible-server/concepts-customer-managed-key) |
 | [Azure Database for PostgreSQL - Flexible Server](/azure/postgresql/flexible-server/) | Yes | Yes | [Data encryption with customer-managed keys in Azure Database for PostgreSQL - Flexible Server](/azure/postgresql/flexible-server/concepts-data-encryption) |
-| [Azure Database for PostgreSQL - Single Server](/azure/postgresql/) | Yes | Yes | [Data encryption with customer-managed keys in Azure Database for PostgreSQL - Single Server](/previous-versions/azure/postgresql/single-server/concepts-data-encryption-postgresql) |
 | [Azure Managed Instance for Apache Cassandra](/azure/managed-instance-apache-cassandra/) | Yes | | [Configure customer-managed keys for encryption](/azure/managed-instance-apache-cassandra/customer-managed-keys) |
 | [Azure SQL Database](/azure/azure-sql/database/) | Yes (RSA 3072-bit) | Yes | [Bring your own key (BYOK) support for Transparent Data Encryption (TDE)](/azure/azure-sql/database/transparent-data-encryption-byok-overview) |
 | [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/) | Yes (RSA 3072-bit) | Yes | [Bring your own key (BYOK) support for Transparent Data Encryption (TDE)](/azure/azure-sql/database/transparent-data-encryption-byok-overview) |
@@ -166,6 +167,7 @@ The following services support server-side encryption with customer managed keys
 | [Managed Disk Storage](/azure/virtual-machines/disks-types/) | Yes | Yes | [Encryption at host for Windows and Linux VMs](/azure/virtual-machines/disk-encryption#customer-managed-keys) |
 | [Premium Blob Storage](/azure/storage/blobs/) | Yes | Yes | [Customer-managed keys for Azure Storage encryption](/azure/storage/common/customer-managed-keys-overview) |
 | [Queue Storage](/azure/storage/queues/) | Yes | Yes | [Customer-managed keys for Azure Storage encryption](/azure/storage/common/customer-managed-keys-overview) |
+| [StorSimple](/azure/storsimple/) | Yes | | [Azure StorSimple security features](/azure/storsimple/storsimple-security#data-encryption) |
 | [Ultra Disk Storage](/azure/virtual-machines/disks-types/) | Yes | Yes | [Encryption at host for Windows and Linux VMs](/azure/virtual-machines/disk-encryption#customer-managed-keys) |
 
 ## Other

articles/security/fundamentals/encryption-models.md

@@ -88,7 +88,7 @@ Some services might store only the root Key Encryption Key in Azure Key Vault an
 
 Loss of key encryption keys means loss of data. For this reason, don't delete keys. Always back up keys when you create or rotate them. When a KEK is rotated, the service re-wraps the data encryption keys with the new key version — the underlying data is not re-encrypted. Both old and new key versions must remain enabled until all data encryption keys have been re-wrapped. To protect against accidental or malicious cryptographic erasure, [Soft-Delete and purge protection](/azure/key-vault/general/soft-delete-overview) must be enabled on any vault storing key encryption keys. Instead of deleting a key, set enabled to false on the key encryption key. Use access controls to revoke access to individual users or services in [Azure Key Vault](/azure/key-vault/general/security-features#access-model-overview) or [Managed HSM](/azure/key-vault/managed-hsm/secure-your-managed-hsm).
 
-For customer-managed key scenarios, Azure Key Vault Premium tier (HSM-backed) is recommended as the minimum for compliance requirements. Azure Managed HSM is recommended for workloads requiring key sovereignty or dedicated HSM capacity.
+For customer-managed key scenarios, Azure Key Vault Premium tier (HSM-backed) is recommended as the minimum for compliance requirements that mandate HSM-protected keys. Azure Managed HSM is recommended for workloads requiring key sovereignty or dedicated HSM capacity.
 
 > [!NOTE]
 > For a list of services that support customer-managed keys in Azure Key Vault and Azure Managed HSM, see [Services that support CMKs in Azure Key Vault and Azure Managed HSM](encryption-customer-managed-keys-support.md).

articles/security/fundamentals/encryption-overview.md

@@ -6,7 +6,7 @@ author: msmbaldwin
 ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
-ms.date: 01/12/2026
+ms.date: 04/02/2026
 ms.author: mbaldwin
 ---
 
@@ -128,7 +128,7 @@ A site-to-site VPN gateway connection connects your on-premises network to an Az
 
 Without proper protection and management of keys, encryption is useless. Azure offers several key management solutions, including Azure Key Vault, Azure Key Vault Managed HSM, Azure Cloud HSM, and Azure Payment HSM.
 
-Key Vault removes the need to configure, patch, and maintain hardware security modules (HSMs) and key management software. By using Key Vault, you maintain control—Microsoft never sees your keys, and applications don't have direct access to them. You can also import or generate keys in HSMs.
+Key Vault removes the need to configure, patch, and maintain hardware security modules (HSMs) and key management software. By using Key Vault, you maintain control—applications don't have direct access to your keys. You can also import or generate keys in HSMs. For the strongest key isolation guarantees, Azure Managed HSM provides a customer-owned security domain where Microsoft has no access to your key material.
 
 For more information about key management in Azure, see [Key management in Azure](/azure/security/fundamentals/key-management).
 

articles/security/fundamentals/key-management-choose.md

@@ -69,7 +69,7 @@ Use the following table to compare all the solutions side by side. Answer each q
 | What level of **compliance** do you need? | FIPS 140-2 level 1 | FIPS 140-3 level 3† | FIPS 140-3 level 3, PCI DSS, PCI 3DS | FIPS 140-3 level 3 | FIPS 140-2 level 3, PCI HSM v3, PCI PTS HSM v3, PCI DSS, PCI 3DS, PCI PIN |
 | Do you need **key sovereignty**? | No | No | Yes | Yes | Yes |
 | Do you need **single tenancy**? | No | No | Yes | Yes | Yes |
-| What are your **use cases**? | Encryption at Rest, custom | Encryption at Rest, CMK, custom | Encryption at Rest, TLS Offload, CMK, custom | Lift and shift, PKCS#11, TLS Offload, TDE, code signing | Payment PIN processes, custom |
+| What are your **use cases**? | Encryption at Rest, CMK, custom | Encryption at Rest, CMK, custom | Encryption at Rest, TLS Offload, CMK, custom | Lift and shift, PKCS#11, TLS Offload, TDE, code signing | Payment PIN processes, custom |
 | Do you need **HSM hardware protection**? | No | Yes | Yes | Yes | Yes |
 | What kind of **objects** do you need to store? | Asym Keys, Secrets, Certs | Asym Keys, Secrets, Certs | Asym/Sym Keys only‡ | Asym/Sym Keys, Certs | Keys |
 | Do you need **dedicated capacity**? | No | No | Yes | Yes | Yes |

articles/security/fundamentals/key-management.md

@@ -46,7 +46,7 @@ If you're an Azure Key Vault Premium customer looking for key sovereignty, singl
 
 ### Azure Key Vault Managed HSM
 
-A FIPS 140-3 Level 3 validated, single-tenant HSM offering that gives clients full control of an HSM for encryption at rest, Keyless SSL/TLS offload, and custom applications. Azure Key Vault Managed HSM is the only key management solution offering confidential keys. Customers receive a pool of three HSM partitions—together acting as one logical, highly available HSM appliance—fronted by a service that exposes crypto functionality through the Key Vault API. Microsoft handles the provisioning, patching, maintenance, and hardware failover of the HSMs, but doesn't have access to the keys themselves, because the service executes within Azure's Confidential Compute Infrastructure. The customer owns and controls the security domain, which is the root of trust for the HSM — loss of the security domain results in permanent, irrecoverable loss of all keys. Azure Key Vault Managed HSM is integrated with the Azure SQL, Azure Storage, and Azure Information Protection PaaS services and offers support for Keyless TLS with F5 and Nginx. For more information, see [What is Azure Key Vault Managed HSM?](/azure/key-vault/managed-hsm/overview)
+A FIPS 140-3 Level 3 validated, single-tenant HSM offering that gives customers full control of an HSM for encryption at rest, Keyless SSL/TLS offload, and custom applications. Azure Key Vault Managed HSM is the only key management solution offering confidential keys. Customers receive a pool of three HSM partitions—together acting as one logical, highly available HSM appliance—fronted by a service that exposes crypto functionality through the Key Vault API. Microsoft handles the provisioning, patching, maintenance, and hardware failover of the HSMs, but doesn't have access to the keys themselves, because the service executes within Azure's Confidential Compute Infrastructure. The customer owns and controls the security domain, which is the root of trust for the HSM — loss of the security domain results in permanent, irrecoverable loss of all keys. Azure Key Vault Managed HSM is integrated with the Azure SQL, Azure Storage, and Azure Information Protection PaaS services and offers support for Keyless TLS with F5 and Nginx. For more information, see [What is Azure Key Vault Managed HSM?](/azure/key-vault/managed-hsm/overview)
 
 ### Azure Cloud HSM