Add Karen's key type changes (AES → oct, HMAC algorithms)

msmbaldwin · msmbaldwin · commit 213a1c00d4cd · 2026-03-11T14:07:27.000-07:00
diff --git a/articles/key-vault/keys/about-keys-details.md b/articles/key-vault/keys/about-keys-details.md
@@ -7,7 +7,7 @@ author: msmbaldwin
 ms.service: azure-key-vault
 ms.subservice: keys
 ms.topic: article
-ms.date: 01/30/2026
+ms.date: 03/06/2026
 ms.author: mbaldwin
 ---
 
@@ -21,7 +21,7 @@ The following table shows a summary of key types and supported algorithms.
 | --- | --- | --- |
 |EC-P256, EC-P256K, EC-P384, EC-P521|NA|ES256<br>ES256K<br>ES384<br>ES512|
 |RSA 2K, 3K, 4K| RSA-OAEP-256<br>[Not recommended] RSA1_5<br>[Not recommended] RSA-OAEP|PS256<br>PS384<br>PS512<br>RS256<br>RS384<br>RS512<br>RSNULL| 
-|AES 128-bit, 256-bit <br/>(Managed HSM only)| AES-KW<br>AES-GCM<br>AES-CBC| NA| 
+|oct 128-bit, 256-bit <br/>(Managed HSM only)| AES-KW<br>AES-GCM<br>AES-CBC| HS256<br>HS384<br>HS512| 
 |||
 
 ##  EC algorithms
@@ -78,6 +78,11 @@ The following algorithm identifiers are supported with oct-HSM keys.
 
 When you use these algorithms with 256-bit keys, they're quantum-resistant according to the [The Commercial National Security Algorithm Suite 2.0 and Quantum Computing FAQ](https://media.defense.gov/2022/Sep/07/2003071836/-1/-1/0/CSI_CNSA_2.0_FAQ_.PDF).
 
+### SIGN/VERIFY
+- **HS256** - HMAC using SHA-256 hash function, as described in [RFC7518](https://tools.ietf.org/html/rfc7518).
+- **HS384** - HMAC using SHA-384 hash function, as described in [RFC7518](https://tools.ietf.org/html/rfc7518).
+- **HS512** - HMAC using SHA-512 hash function, as described in [RFC7518](https://tools.ietf.org/html/rfc7518).
+
 > [!NOTE] 
 > The sign and verify operations algorithms must match the key type and size. Otherwise, the service returns a key size is incorrect error.
 
diff --git a/articles/key-vault/managed-hsm/how-to-secure-access.md b/articles/key-vault/managed-hsm/how-to-secure-access.md
@@ -45,7 +45,7 @@ In this example, you're developing an application that uses an RSA 2,048-bit key
 
 Identify the roles that manage, deploy, and audit your application:
 
-- **Security team**: IT staff from the office of the CSO (Chief Security Officer) or similar contributors. The security team is responsible for the proper safekeeping of keys. The keys include RSA or EC keys for signing, and RSA or AES keys for data encryption.
+- **Security team**: IT staff from the office of the CSO (Chief Security Officer) or similar contributors. The security team is responsible for the proper safekeeping of keys. The keys include RSA or EC keys for signing, and RSA or oct keys for data encryption.
 - **Developers and operators**: The staff who develop the application and deploy it in Azure. The members of this team aren't part of the security staff. They shouldn't have access to sensitive data like RSA keys. Only the application that they deploy should have access to this sensitive data.
 - **Auditors**: Contributors who aren't members of the development or general IT staff. They review the use and maintenance of certificates, keys, and secrets to ensure compliance with security standards.
 
