Align CMK/encryption articles with authoritative Q&A guidance

- Update FIPS 140-2 references to FIPS 140-3
- Remove CMK from AKV Standard use cases (Premium minimum)
- Remove retired services from CMK support list (LUIS, Personalizer, QnA Maker, MySQL Single Server, StorSimple)
- Add CMK control model framing to CMK support list intro
- Clarify key rotation only re-wraps DEKs, not re-encrypts data
- Add RSA-OAEP-256 wrapping algorithm recommendation
- Add KV Premium minimum and MHSM sovereignty guidance
- Clarify double encryption uses independent keys/operators/hierarchies
- Add security domain ownership and irrecoverable loss warning for MHSM
- Fix HSM typo (Model -> Module) in secrets-best-practices

Co-authored-by: Copilot <[email protected]>

Author: msmbaldwin

articles/security/fundamentals/data-encryption-best-practices.md

@@ -8,7 +8,7 @@ ms.assetid: 17ba67ad-e5cd-4a8f-b435-5218df753ca4
 ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
-ms.date: 01/08/2026
+ms.date: 04/02/2026
 ms.author: mbaldwin
 
 ---
@@ -53,6 +53,10 @@ Most Azure services, such as Azure Storage and Azure SQL Database, encrypt data
 
 - **Use encryption to help mitigate risks related to unauthorized data access**: Encrypt your services before you write sensitive data to them.
 
+- **Understand key rotation behavior**: When you rotate a key encryption key (KEK), the service re-wraps the data encryption keys (DEKs) with the new key version. The underlying data itself is not re-encrypted. Both old and new key versions must remain enabled until re-wrapping is complete. For more information, see [Configure key auto-rotation in Azure Key Vault](/azure/key-vault/keys/how-to-configure-key-rotation).
+
+- **Use RSA-OAEP-256 for key wrapping**: RSA-OAEP-256 is the recommended wrapping algorithm for customer-managed keys. RSA-OAEP (without the -256 suffix) uses SHA-1 and is considered legacy.
+
 Organizations that don't enforce data encryption are more exposed to data-confidentiality issues. Companies also must prove that they are diligent and using correct security controls to enhance their data security in order to comply with industry regulations.
 
 ## Protect data in transit

articles/security/fundamentals/double-encryption.md

@@ -8,7 +8,7 @@ ms.assetid: 9dcb190e-e534-4787-bf82-8ce73bf47dba
 ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
-ms.date: 04/23/2025
+ms.date: 04/02/2026
 ms.author: mbaldwin
 ---
 # Double encryption
@@ -23,7 +23,7 @@ Azure provides double encryption for data at rest and data in transit.
 ## Data at rest
 Microsoft’s approach to enabling two layers of encryption for data at rest is:
 
-- **Encryption at rest using customer-managed keys**. You provide your own key for data encryption at rest. You can bring your own keys to your Key Vault (BYOK – Bring Your Own Key), or generate new keys in Azure Key Vault to encrypt the desired resources.
+- **Encryption at rest using customer-managed keys**. You provide your own key for data encryption at rest. You can bring your own keys to your Key Vault (BYOK – Bring Your Own Key), or generate new keys in Azure Key Vault to encrypt the desired resources. These two layers use separate keys from independent key hierarchies, managed by different operators — you control the service-level key while Microsoft controls the infrastructure-level key.
 - **Infrastructure encryption using platform-managed keys**.  By default, data is automatically encrypted at rest using platform-managed encryption keys.
 
 ## Data in transit

articles/security/fundamentals/encryption-atrest.md

@@ -8,7 +8,7 @@ ms.assetid: 9dcb190e-e534-4787-bf82-8ce73bf47dba
 ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
-ms.date: 01/12/2026
+ms.date: 04/02/2026
 ms.author: mbaldwin
 
 ---
@@ -40,7 +40,7 @@ Encryption at rest protects stored data (at rest). Attacks against data at rest
 
 Encryption at rest is designed to prevent the attacker from accessing the unencrypted data by ensuring the data is encrypted when on disk. If an attacker obtains a hard drive with encrypted data but not the encryption keys, the attacker must defeat the encryption to read the data. This attack is much more complex and resource consuming than accessing unencrypted data on a hard drive. For this reason, encryption at rest is highly recommended and is a high priority requirement for many organizations.
 
-An organization's need for data governance and compliance efforts might also require encryption at rest. Industry and government regulations such as HIPAA, PCI, and FedRAMP, lay out specific safeguards regarding data protection and encryption requirements. Encryption at rest is a mandatory measure required for compliance with some of those regulations. For more information on Microsoft's approach to FIPS 140-2 validation, see [Federal Information Processing Standard (FIPS) Publication 140-2](/microsoft-365/compliance/offering-fips-140-2).
+An organization's need for data governance and compliance efforts might also require encryption at rest. Industry and government regulations such as HIPAA, PCI, and FedRAMP, lay out specific safeguards regarding data protection and encryption requirements. Encryption at rest is a mandatory measure required for compliance with some of those regulations. For more information on Microsoft's approach to FIPS 140 validation, see [Federal Information Processing Standard (FIPS) 140](/azure/compliance/offering-fips-140-3).
 
 In addition to satisfying compliance and regulatory requirements, encryption at rest provides defense-in-depth protection. Microsoft Azure provides a compliant platform for services, applications, and data. It also provides comprehensive facility and physical security, data access control, and auditing. However, it's important to provide additional "overlapping" security measures in case one of the other security measures fails. Encryption at rest provides such a security measure.
 
@@ -64,7 +64,7 @@ As described previously, the goal of encryption at rest is that data persisted o
 
 ### Azure Key Vault
 
-The storage location of the encryption keys and access control to those keys is central to an encryption at rest model. You need to highly secure the keys but make them manageable by specified users and available to specific services. For Azure services, Azure Key Vault is the recommended key storage solution and provides a common management experience across services. You store and manage keys in key vaults, and you can give users or services access to a key vault. Azure Key Vault supports customer creation of keys or import of customer keys for use in customer-managed encryption key scenarios.
+The storage location of the encryption keys and access control to those keys is central to an encryption at rest model. You need to highly secure the keys but make them manageable by specified users and available to specific services. For Azure services, Azure Key Vault (Premium tier) or Azure Managed HSM is the recommended key storage solution and provides a common management experience across services. Both are validated to FIPS 140-3 Level 3 for HSM-backed key protection. You store and manage keys in key vaults, and you can give users or services access to a key vault. Azure Key Vault supports customer creation of keys or import of customer keys for use in customer-managed encryption key scenarios.
 
 ### Microsoft Entra ID
 

articles/security/fundamentals/encryption-customer-managed-keys-support.md

@@ -3,15 +3,17 @@ title: Services that support customer managed keys (CMKs) in Azure Key Vault and
 description: Services that support customer managed keys (CMKs) in Azure Key Vault and Azure Managed HSM
 author: msmbaldwin
 ms.author: mbaldwin
-ms.date: 02/23/2026
+ms.date: 04/02/2026
 ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
 ---
 
 # Services that support customer managed keys (CMKs) in Azure Key Vault and Azure Managed HSM
 
-The following services support server-side encryption with customer managed keys in [Azure Key Vault](/azure/key-vault/) and [Azure Managed HSM](/azure/key-vault/managed-hsm/). For implementation details, see the service-specific documentation or the service's [Microsoft Cloud Security Benchmark: security baseline](/security/benchmark/azure/security-baselines-overview) (section DP-5).
+Customer-managed keys (CMK) is a key management control model in which you own and manage the key encryption key (KEK) in your own [Azure Key Vault](/azure/key-vault/) or [Azure Managed HSM](/azure/key-vault/managed-hsm/) instance. Azure services use your KEK to wrap and unwrap their data encryption keys through envelope encryption. For HSM-protected keys, use Azure Key Vault Premium tier or Azure Managed HSM, both validated to FIPS 140-3 Level 3.
+
+The following services support server-side encryption with customer managed keys. For implementation details, see the service-specific documentation or the service's [Microsoft Cloud Security Benchmark: security baseline](/security/benchmark/azure/security-baselines-overview) (section DP-5).
 
 ## AI and machine learning
 
@@ -27,15 +29,11 @@ The following services support server-side encryption with customer managed keys
 | [Azure Health Bot](/azure/health-bot/) | Yes | | [Configure customer-managed keys (CMK) for Azure Health Bot](/azure/health-bot/cmk) |
 | [Azure Machine Learning](/azure/machine-learning/) | Yes | | [Customer-managed keys for workspace encryption in Azure Machine Learning](/azure/machine-learning/concept-customer-managed-keys) |
 | [Azure OpenAI](/azure/ai-services/openai/) | Yes | Yes | [Azure OpenAI Service encryption of data at rest](/azure/ai-services/openai/encrypt-data-at-rest) |
-| [Content Moderator](/azure/ai-services/content-moderator/) | Yes | Yes | [Content Moderator encryption of data at rest](/azure/ai-services/content-moderator/encrypt-data-at-rest) |
 | [Dataverse](/powerapps/maker/data-platform/) | Yes | Yes | [Customer-managed keys in Dataverse](/power-platform/admin/customer-managed-key) |
 | [Dynamics 365](/dynamics365/) | Yes | Yes | [Customer-managed keys for encryption](/dynamics365/fin-ops-core/dev-itpro/sysadmin/customer-managed-keys) |
 | [Azure AI Face](/azure/ai-services/computer-vision/overview-identity) | Yes | Yes | [Face service encryption of data at rest](/azure/ai-services/computer-vision/identity-encrypt-data-at-rest) |
-| [Language Understanding](/azure/ai-services/luis/what-is-luis) | Yes | Yes | [Customer-managed keys with Azure Key Vault](/azure/ai-services/luis/encrypt-data-at-rest) |
-| [Personalizer](/azure/ai-services/personalizer/) | Yes | Yes | [Encryption of data at rest in Personalizer](/azure/ai-services/personalizer/encrypt-data-at-rest) |
 | [Power Platform](/power-platform/) | Yes | Yes | [Customer-managed keys in Power Platform](/power-platform/admin/customer-managed-key) |
 | [Custom question answering](/azure/ai-services/language-service/question-answering/overview) | Yes | | [Custom question answering encryption of data at rest](/azure/ai-services/language-service/question-answering/how-to/encrypt-data-at-rest) |
-| [QnA Maker](/azure/ai-services/qnamaker/) | Yes | Yes | [QnA Maker encryption of data at rest](/azure/ai-services/qnamaker/encrypt-data-at-rest) |
 | [Azure Speech in Foundry Tools](/azure/ai-services/speech-service/) | Yes | Yes | [Speech service encryption of data at rest](/azure/ai-services/speech-service/speech-encryption-of-data-at-rest) |
 | [Azure Translator in Foundry Tools Text](/azure/ai-services/translator/) | Yes | Yes | [Translator encryption of data at rest](/azure/ai-services/translator/encrypt-data-at-rest) |
 
@@ -89,7 +87,6 @@ The following services support server-side encryption with customer managed keys
 | [Azure Cosmos DB](/azure/cosmos-db/) | Yes | Yes | [Configure customer-managed keys using Azure Key Vault](/azure/cosmos-db/how-to-setup-cmk), [Configure customer-managed keys using Azure Key Vault Managed HSM](/azure/cosmos-db/how-to-setup-customer-managed-keys-mhsm) |
 | [Azure Cosmos DB for MongoDB vCore](/azure/cosmos-db/mongodb/vcore/) | Yes | | [Configure customer-managed keys for Azure Cosmos DB for MongoDB vCore](/azure/cosmos-db/mongodb/vcore/how-to-data-encryption) |
 | [Azure Database for MySQL - Flexible Server](/azure/mysql/flexible-server/) | Yes | Yes | [Data encryption with customer-managed keys in Azure Database for MySQL - Flexible Server](/azure/mysql/flexible-server/concepts-customer-managed-key) |
-| [Azure Database for MySQL - Single Server](/azure/mysql/single-server/) | Yes | | [Azure Database for MySQL data encryption with a customer-managed key](/previous-versions/azure/mysql/single-server/concepts-data-encryption-mysql) |
 | [Azure Database for PostgreSQL - Flexible Server](/azure/postgresql/flexible-server/) | Yes | Yes | [Data encryption with customer-managed keys in Azure Database for PostgreSQL - Flexible Server](/azure/postgresql/flexible-server/concepts-data-encryption) |
 | [Azure Database for PostgreSQL - Single Server](/azure/postgresql/) | Yes | Yes | [Data encryption with customer-managed keys in Azure Database for PostgreSQL - Single Server](/previous-versions/azure/postgresql/single-server/concepts-data-encryption-postgresql) |
 | [Azure Managed Instance for Apache Cassandra](/azure/managed-instance-apache-cassandra/) | Yes | | [Configure customer-managed keys for encryption](/azure/managed-instance-apache-cassandra/customer-managed-keys) |
@@ -169,7 +166,6 @@ The following services support server-side encryption with customer managed keys
 | [Managed Disk Storage](/azure/virtual-machines/disks-types/) | Yes | Yes | [Encryption at host for Windows and Linux VMs](/azure/virtual-machines/disk-encryption#customer-managed-keys) |
 | [Premium Blob Storage](/azure/storage/blobs/) | Yes | Yes | [Customer-managed keys for Azure Storage encryption](/azure/storage/common/customer-managed-keys-overview) |
 | [Queue Storage](/azure/storage/queues/) | Yes | Yes | [Customer-managed keys for Azure Storage encryption](/azure/storage/common/customer-managed-keys-overview) |
-| [StorSimple](/azure/storsimple/) | Yes | | [Azure StorSimple security features](/azure/storsimple/storsimple-security#data-encryption) |
 | [Ultra Disk Storage](/azure/virtual-machines/disks-types/) | Yes | Yes | [Encryption at host for Windows and Linux VMs](/azure/virtual-machines/disk-encryption#customer-managed-keys) |
 
 ## Other

articles/security/fundamentals/encryption-models.md

@@ -3,7 +3,7 @@ title: Data encryption models in Microsoft Azure
 description: This article provides an overview of data encryption models In Microsoft Azure.
 author: msmbaldwin
 ms.author: mbaldwin
-ms.date: 01/12/2026
+ms.date: 04/02/2026
 ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
@@ -86,7 +86,9 @@ For scenarios where organizations have specific requirements to control their en
 
 Some services might store only the root Key Encryption Key in Azure Key Vault and store the encrypted Data Encryption Key in an internal location closer to the data. In this scenario, customers can bring their own keys to Key Vault (BYOK – Bring Your Own Key) or generate new ones, and use them to encrypt the desired resources. While the Resource Provider performs the encryption and decryption operations, it uses the customer's configured key encryption key as the root key for all encryption operations.
 
-Loss of key encryption keys means loss of data. For this reason, don't delete keys. Always back up keys when you create or rotate them. To protect against accidental or malicious cryptographic erasure, [Soft-Delete and purge protection](/azure/key-vault/general/soft-delete-overview) must be enabled on any vault storing key encryption keys. Instead of deleting a key, set enabled to false on the key encryption key. Use access controls to revoke access to individual users or services in [Azure Key Vault](/azure/key-vault/general/security-features#access-model-overview) or [Managed HSM](/azure/key-vault/managed-hsm/secure-your-managed-hsm).
+Loss of key encryption keys means loss of data. For this reason, don't delete keys. Always back up keys when you create or rotate them. When a KEK is rotated, the service re-wraps the data encryption keys with the new key version — the underlying data is not re-encrypted. Both old and new key versions must remain enabled until all data encryption keys have been re-wrapped. To protect against accidental or malicious cryptographic erasure, [Soft-Delete and purge protection](/azure/key-vault/general/soft-delete-overview) must be enabled on any vault storing key encryption keys. Instead of deleting a key, set enabled to false on the key encryption key. Use access controls to revoke access to individual users or services in [Azure Key Vault](/azure/key-vault/general/security-features#access-model-overview) or [Managed HSM](/azure/key-vault/managed-hsm/secure-your-managed-hsm).
+
+For customer-managed key scenarios, Azure Key Vault Premium tier (HSM-backed) is recommended as the minimum for compliance requirements. Azure Managed HSM is recommended for workloads requiring key sovereignty or dedicated HSM capacity.
 
 > [!NOTE]
 > For a list of services that support customer-managed keys in Azure Key Vault and Azure Managed HSM, see [Services that support CMKs in Azure Key Vault and Azure Managed HSM](encryption-customer-managed-keys-support.md).