Merge pull request #310280 from msmbaldwin/secfund-dataencryption

Data encryption and key management articles

Author: JamesJBarnett

articles/security/fundamentals/data-encryption-best-practices.md

@@ -8,7 +8,7 @@ ms.assetid: 17ba67ad-e5cd-4a8f-b435-5218df753ca4
 ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
-ms.date: 10/22/2025
+ms.date: 01/08/2026
 ms.author: mbaldwin
 
 ---

articles/security/fundamentals/encryption-atrest.md

@@ -8,7 +8,7 @@ ms.assetid: 9dcb190e-e534-4787-bf82-8ce73bf47dba
 ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
-ms.date: 04/16/2025
+ms.date: 01/08/2026
 ms.author: mbaldwin
 
 ---
@@ -88,19 +88,19 @@ Platform as a Service (PaaS) customer's data typically resides in a storage serv
 
 ### Encryption at rest for IaaS customers
 
-Infrastructure as a Service (IaaS) customers can have a variety of services and applications in use. IaaS services can enable encryption at rest in their Azure hosted virtual machines and VHDs using encryption at host.
+Infrastructure as a Service (IaaS) customers can have a variety of services and applications in use. IaaS services can enable encryption at rest in their Azure hosted virtual machines using encryption at host.
 
 #### Encrypted storage
 
 Like PaaS, IaaS solutions can leverage other Azure services that store data encrypted at rest. In these cases, you can enable the Encryption at Rest support as provided by each consumed Azure service. The [Data encryption models](encryption-models.md) enumerates the major storage, services, and application platforms and the model of Encryption at Rest supported.
 
 #### Encrypted compute
 
-All Managed Disks, Snapshots, and Images are encrypted using Storage Service Encryption using a service-managed key. A more complete Encryption at Rest solution ensures that the data is never persisted in unencrypted form. While processing the data on a virtual machine, data can be persisted to the Windows page file or Linux swap file, a crash dump, or to an application log. To ensure this data is encrypted at rest, IaaS applications can use encryption at host on an Azure IaaS virtual machine.
+All Managed Disks, Snapshots, and Images are encrypted using Storage Service Encryption using a service-managed key. A more complete Encryption at Rest solution ensures that the data is never persisted in unencrypted form. While processing the data on a virtual machine, data can be persisted to the Windows page file or Linux swap file, a crash dump, or to an application log. To ensure this data is encrypted at rest, IaaS applications can use encryption at host on Azure IaaS virtual machines.
 
 #### Custom encryption at rest
 
-It is recommended that whenever possible, IaaS applications leverage encryption at host and Encryption at Rest options provided by any consumed Azure services. In some cases, such as irregular encryption requirements or non-Azure based storage, a developer of an IaaS application may need to implement encryption at rest themselves. Developers of IaaS solutions can better integrate with Azure management and customer expectations by leveraging certain Azure components. Specifically, developers should use the Azure Key Vault service to provide secure key storage as well as provide their customers with key management options consistent with that of Azure platform services. Additionally, custom solutions should use Azure managed service identities to enable service accounts to access encryption keys. For developer information on Azure Key Vault and Managed Service Identities, see their respective SDKs.
+It is recommended that whenever possible, IaaS applications leverage encryption at host and Encryption at Rest options provided by any consumed Azure services. Developers should use the Azure Key Vault service to provide secure key storage as well as provide their customers with consistent key management options with Azure platform services. Additionally, custom solutions should use Azure managed service identities to enable service accounts to access encryption keys. For developer information on Azure Key Vault and Managed Service Identities, see their respective SDKs.
 
 ## Azure resource providers encryption model support
 

articles/security/fundamentals/encryption-overview.md

@@ -6,7 +6,7 @@ author: msmbaldwin
 ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
-ms.date: 11/04/2025
+ms.date: 01/08/2026
 ms.author: mbaldwin
 ---
 # Azure encryption overview
@@ -123,7 +123,7 @@ A site-to-site VPN gateway connection connects your on-premises network to an Az
 
 ## Key management with Key Vault
 
-Without proper protection and management of keys, encryption is rendered useless. Azure Key Vault is the Microsoft-recommended solution for managing and controlling access to encryption keys used by cloud services.
+Without proper protection and management of keys, encryption is rendered useless. Azure offers several key management solutions, including Azure Key Vault, Azure Key Vault Managed HSM, Azure Cloud HSM, and Azure Payment HSM.
 
 Key Vault relieves organizations of the need to configure, patch, and maintain hardware security modules (HSMs) and key management software. With Key Vault, you maintain control—Microsoft never sees your keys, and applications don't have direct access to them. You can also import or generate keys in HSMs.
 

articles/security/fundamentals/key-management-choose.md

@@ -1,18 +1,18 @@
 ---
 title: How to choose the right key management solution
-titleSuffix: How to choose between Azure Key Vault, Azure Key Vault Managed HSM, Azure Dedicated HSM, and Azure Payment HSM
+titleSuffix: How to choose between Azure Key Vault, Azure Key Vault Managed HSM, Azure Cloud HSM, and Azure Payment HSM
 description: This article provides a detailed explanation of how to choose the right Key Management solution in Azure.
 services: security
 author: chenkaren
 ms.service: security
 ms.topic: article
-ms.date: 07/14/2025
+ms.date: 01/08/2026
 ms.author: chenkaren
 ---
 
 # How to choose the right Azure key management solution
 
-Azure offers several solutions for cryptographic key storage and management in the cloud: Azure Key Vault (standard and premium offerings), Azure Key Vault Managed HSM, Azure Dedicated HSM, and Azure Payment HSM. It might be overwhelming for customers to decide which key management solution is right for them. This article helps customers navigate this decision-making process by presenting the range of solutions based on three considerations: scenarios, requirements, and industry.
+Azure offers several solutions for cryptographic key storage and management in the cloud: Azure Key Vault (standard and premium offerings), Azure Key Vault Managed HSM, Azure Cloud HSM, and Azure Payment HSM. This article helps you choose the right solution based on your scenarios, requirements, and industry.
 
 For an overview of key management concepts and detailed descriptions of each solution, see [Key management in Azure](key-management.md).
 
@@ -41,25 +41,25 @@ The flowchart result is a starting point to identify the solution that best matc
 
 ## Compare other customer requirements
 
-Azure provides multiple key management solutions to allow customers to choose a product based on both high-level requirements and management responsibilities. There is a spectrum of management responsibilities ranging from Azure Key Vault and Azure Managed HSM having less customer responsibility, followed by Azure Cloud HSM and Azure Payment HSM having the most customer responsibility.
+Azure provides multiple key management solutions to allow customers to choose a product based on both high-level requirements and management responsibilities. There is a spectrum of management responsibilities ranging from Azure Key Vault, Azure Managed HSM, and Azure Cloud HSM having less customer responsibility (Microsoft handles patching and maintenance), to Azure Payment HSM having the most customer responsibility.
 
 This trade-off of management responsibility between the customer and Microsoft and other requirements is detailed in the table below.
 
 Provisioning and hosting are managed by Microsoft across all solutions. Key generation and management, roles and permissions granting, and monitoring and auditing are the responsibility of the customer across all solutions.
 
 Use the table to compare all the solutions side by side. Begin from top to bottom, answering each question found on the left-most column to help you choose the solution that meets all your needs, including management overhead and costs.
 
-|  | **AKV Standard** | **AKV Premium** | **Azure Key Vault Managed HSM** | **Azure Dedicated HSM** | **Azure Payment HSM** |
+|  | **AKV Standard** | **AKV Premium** | **Azure Key Vault Managed HSM** | **Azure Cloud HSM** | **Azure Payment HSM** |
 | --- | --- | --- | --- | --- | --- |
-| What level of **compliance** do you need? | FIPS 140-2 level 1 | FIPS 140-2 level 2 | FIPS 140-2 level 3, PCI DSS, PCI 3DS | FIPS 140-2 level 3, HIPAA, PCI DSS, PCI 3DS, eIDAS | FIPS 140-2 level 3, PCI HSM v3, PCI PTS HSM v3, PCI DSS, PCI 3DS, PCI PIN |
+| What level of **compliance** do you need? | FIPS 140-2 level 1 | FIPS 140-3 level 3 | FIPS 140-3 level 3, PCI DSS, PCI 3DS | FIPS 140-3 level 3 | FIPS 140-2 level 3, PCI HSM v3, PCI PTS HSM v3, PCI DSS, PCI 3DS, PCI PIN |
 | Do you need **key sovereignty**? | No | No | Yes | Yes | Yes |
 | What kind of **tenancy** are you looking for? | Multitenant | Multitenant | Single Tenant | Single Tenant | Single Tenant |
-| What are your **use cases**? | Encryption at Rest, CMK, custom | Encryption at Rest, CMK, custom | Encryption at Rest, TLS Offload, CMK, custom | PKCS11, TLS Offload, code/document signing, custom | Payment PIN processes, custom |
+| What are your **use cases**? | Encryption at Rest, CMK, custom | Encryption at Rest, CMK, custom | Encryption at Rest, TLS Offload, CMK, custom | Lift and shift, PKCS#11, TLS Offload, TDE, code signing | Payment PIN processes, custom |
 | Do you want **HSM hardware protection**? | No | Yes | Yes | Yes | Yes |
 | What is your **budget**? | $ | $$ | $$$ | $$$ | $$$$ |
 | Who takes responsibility for **patching and maintenance**? | Microsoft | Microsoft | Microsoft | Microsoft | Customer |
-| Who takes responsibility for **service health and hardware failover**? | Microsoft | Microsoft | Shared | Shared | Customer |
-| What kind of **objects** are you using? | Asym Keys, Secrets, Certs | Asym Keys, Secrets, Certs | Asym/Sym Keys | Asym/Sym Keys, Certs | Local Master Key |
+| Who takes responsibility for **service health and hardware failover**? | Microsoft | Microsoft | Shared | Microsoft | Customer |
+| What kind of **objects** are you using? | Asym Keys, Secrets, Certs | Asym Keys, Secrets, Certs | Asym/Sym Keys | Asym/Sym Keys | Local Master Key |
 | **Root of trust control** | Microsoft | Microsoft | Customer | Customer | Customer |
 
 ## Common key management solution uses by industry segments
@@ -68,20 +68,21 @@ Here is a list of the key management solutions we commonly see being utilized ba
 
 | **Industry** | **Suggested Azure solution** | **Considerations for suggested solutions** |
 | --- | --- | --- |
-| I am an enterprise or an organization with strict security and compliance requirements (ex: banking, government, highly regulated industries). | Azure Key Vault Managed HSM, Azure Dedicated HSM | Azure Key Vault Managed HSM provides FIPS 140-2 Level 3 compliance, and it is a PCI compliant solution for ecommerce. It supports encryption for PCI DSS 4.0. It provides HSM backed keys and gives customers key sovereignty and single tenancy. Azure Dedicated HSM provides FIPS 140-2 Level 3 compliance, customer ownership of HSM clusters, and support for PKCS#11 and other standard APIs for cryptographic operations. |
-| I am a direct-to-consumer ecommerce merchant who needs to store, process, and transmit my customers' credit cards to my external payment processor/gateway and looking for a PCI compliant solution. | Azure Key Vault Managed HSM | Azure Key Vault Managed HSM provides FIPS 140-2 Level 3 compliance, and it is a PCI compliant solution for ecommerce. It supports encryption for PCI DSS 4.0. It provides HSM backed keys and gives customers key sovereignty and single tenancy. |
+| I am an enterprise or an organization with strict security and compliance requirements (ex: banking, government, highly regulated industries). | Azure Key Vault Managed HSM | Azure Key Vault Managed HSM provides FIPS 140-3 Level 3 compliance, and it is a PCI compliant solution for ecommerce. It supports encryption for PCI DSS 4.0. It provides HSM backed keys and gives customers key sovereignty and single tenancy. |
+| I am a direct-to-consumer ecommerce merchant who needs to store, process, and transmit my customers' credit cards to my external payment processor/gateway and looking for a PCI compliant solution. | Azure Key Vault Managed HSM | Azure Key Vault Managed HSM provides FIPS 140-3 Level 3 compliance, and it is a PCI compliant solution for ecommerce. It supports encryption for PCI DSS 4.0. It provides HSM backed keys and gives customers key sovereignty and single tenancy. |
 | I am a service provider for financial services, an issuer, a card acquirer, a card network, a payment gateway/PSP, or 3DS solution provider looking for a single tenant service that can meet PCI and multiple major compliance frameworks. | Azure Payment HSM | Azure Payment HSM provides FIPS 140-2 Level 3, PCI HSM v3, PCI DSS, PCI 3DS, and PCI PIN compliance. It provides key sovereignty and single tenancy, common internal compliance requirements around payment processing. Azure Payment HSM provides full payment transaction and PIN processing support. |
 | I am an early-stage startup customer looking to prototype a cloud-native application. | Azure Key Vault Standard | Azure Key Vault Standard provides software-backed keys at an economy price. |
 | I am a startup customer looking to produce a cloud-native application. | Azure Key Vault Premium, Azure Key Vault Managed HSM | Both Azure Key Vault Premium and Azure Key Vault Managed HSM provide HSM-backed keys* and are the best solutions for building cloud native applications. |
-| I am an IaaS customer wanting to move my application to use Azure VM/HSMs. | Azure Dedicated HSM | Azure Dedicated HSM supports SQL IaaS customers. It is the only solution that supports PKCS11 and custom noncloud native applications. |
+| I am an IaaS customer wanting to move my application to use Azure VM/HSMs. | Azure Cloud HSM | Azure Key Vault Managed HSM supports IaaS scenarios and provides FIPS 140-3 Level 3 compliance with key sovereignty. Azure Cloud HSM is ideal for lift-and-shift scenarios requiring PKCS#11 support, such as migrating from on-premises HSMs, Azure Dedicated HSM, or AWS CloudHSM. |
 
 For detailed information about each Azure key management solution, including technical specifications and use cases, see [Key management in Azure](key-management.md).
 
+
 ## What's next
 
 - [Key management in Azure](key-management.md)
 - [Azure Key Vault](/azure/key-vault/general/overview)
 - [Azure Key Vault Managed HSM](/azure/key-vault/managed-hsm/overview)
-- [Azure Dedicated HSM](/azure/dedicated-hsm/overview)
+- [Azure Cloud HSM](/azure/cloud-hsm/overview)
 - [Azure Payment HSM](/azure/payment-hsm/overview)
 - [What is Zero Trust?](/security/zero-trust/zero-trust-overview)