diff --git a/website/content/docs/concepts/security/data-encryption.mdx b/website/content/docs/concepts/security/data-encryption.mdx index 43f1c49c2d..646dac467f 100644 --- a/website/content/docs/concepts/security/data-encryption.mdx +++ b/website/content/docs/concepts/security/data-encryption.mdx @@ -35,7 +35,7 @@ and the various DEKs (Data Encryption Keys) are created when a scope is created. The DEKs are encrypted with the scope's `root` KEK, and this is in turn encrypted with the KMS key marked for the `root` purpose. -You can configure `root` KMS keys for self-managed, Enterprise or Community edition deployments. +You can configure `root` KMS keys for self-managed Enterprise or Community edition deployments. The current scoped DEKs and their purposes are detailed below: @@ -122,7 +122,7 @@ the `previous-root` KMS key to your configuration informs the Controller to use it for decrypting the existing information in the database, allowing you to rotate and rewrap the KEKs to complete the migration to the new root key. -You can configure `previous-root` KMS keys for self-managed, Enterprise or Community edition deployments. +You can configure `previous-root` KMS keys for self-managed Enterprise or Community edition deployments. ## The `worker-auth` KMS key @@ -132,6 +132,9 @@ found on the [Connections/TLS page](/boundary/docs/concepts/security/connections a worker is registered with [worker-led or controller-led methods](/boundary/docs/configuration/worker/worker-configuration) this is unnecessary. +You can configure `worker-auth` KMS keys for HCP, Enterprise, and Community edition deployments. +However, you cannot configure `worker-auth` keys for the first set of workers that connect to your HCP workers. + ## The `recovery` KMS key The `recovery` KMS key is used for rescue/recovery operations that can be used @@ -144,7 +147,7 @@ cannot be replayed by an adversary, and also to ensure that each operation must be individually authenticated by a client so that revoking access to the KMS has an immediate result. -You can configure `recovery` KMS keys for self-managed, Enterprise or Community edition deployments. +You can configure `recovery` KMS keys for self-managed Enterprise or Community edition deployments. @@ -185,4 +188,4 @@ with access to that KMS can decrypt the values. Boundary will check for a `config` KMS block on startup, and if it exists, will use it to decrypt any encrypted values found at startup time. -You can configure `config` KMS keys for self-managed, Enterprise or Community edition deployments. +You can configure `config` KMS keys for self-managed Enterprise or Community edition deployments.