diff --git a/articles/security/fundamentals/virtual-machines-overview.md b/articles/security/fundamentals/virtual-machines-overview.md index b82b2e54c4e94..bdde13800ef24 100644 --- a/articles/security/fundamentals/virtual-machines-overview.md +++ b/articles/security/fundamentals/virtual-machines-overview.md @@ -74,7 +74,7 @@ Learn more: [!INCLUDE [Azure Disk Encryption retirement notice](~/reusable-content/ce-skilling/azure/includes/security/azure-disk-encryption-retirement.md)] -Azure Disk Encryption is a new capability for encrypting your Windows and Linux virtual machine disks. Azure Disk Encryption uses the industry-standard [BitLocker](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732774(v=ws.11)) feature of Windows and the [dm-crypt](https://en.wikipedia.org/wiki/Dm-crypt) feature of Linux to provide volume encryption for the OS and the data disks. +Azure Disk Encryption is a capability for encrypting your Windows and Linux virtual machine disks. Azure Disk Encryption uses the industry-standard [BitLocker](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732774(v=ws.11)) feature of Windows and the [dm-crypt](https://en.wikipedia.org/wiki/Dm-crypt) feature of Linux to provide volume encryption for the OS and the data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets in your key vault subscription. It ensures that all data in the virtual machine disks are encrypted at rest in Azure Storage. @@ -148,11 +148,9 @@ Learn more: ## Confidential Computing -While confidential computing is not technically part of virtual machine security, the topic of virtual machine security belongs to the higher-level subject of "compute" security. Confidential computing belongs within the category of "compute" security. +Confidential computing ensures that when data is protected against tampering and exfiltration even when it is resident in memory for processing. The data in memory is protected inside a Trusted Execution Environment https://en.wikipedia.org/wiki/Trusted_execution_environment (TEE - also known as an enclave), an example of which is shown in the figure below. -Confidential computing ensures that when data is "in the clear," which is required for efficient processing, the data is protected inside a Trusted Execution Environment https://en.wikipedia.org/wiki/Trusted_execution_environment (TEE - also known as an enclave), an example of which is shown in the figure below. - -TEEs ensure there is no way to view data or the operations inside from the outside, even with a debugger. They even ensure that only authorized code is permitted to access data. If the code is altered or tampered, the operations are denied and the environment disabled. The TEE enforces these protections throughout the execution of code within it. +TEEs help to ensure there is no way to view data or alter the operations inside a TEE from the outside, even by an Azure operator with a debugger. They even ensure that only authorized code is permitted to access data. If the code is altered, the operations can be detected and denied and the environment disabled. The TEE enforces these protections throughout the execution of code within it. Learn more: