backport of commit 7bdc25c

hashicorp · Oct 14, 2024 · a34cffb · a34cffb
1 parent f3a5ad3
commit a34cffb
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/website/content/docs/concepts/security/data-encryption.mdx b/website/content/docs/concepts/security/data-encryption.mdx
@@ -35,7 +35,7 @@ and the various DEKs (Data Encryption Keys) are created when a scope is created.
 The DEKs are encrypted with the scope's `root` KEK, and this is in turn
 encrypted with the KMS key marked for the `root` purpose.
 
-You can configure `root` KMS keys for self-managed, Enterprise or Community edition deployments.
+You can configure `root` KMS keys for self-managed Enterprise or Community edition deployments.
 
 The current scoped DEKs and their purposes are detailed below:
 
@@ -122,7 +122,7 @@ the `previous-root` KMS key to your configuration informs the Controller to use
 it for decrypting the existing information in the database, allowing you to
 rotate and rewrap the KEKs to complete the migration to the new root key.
 
-You can configure `previous-root` KMS keys for self-managed, Enterprise or Community edition deployments.
+You can configure `previous-root` KMS keys for self-managed Enterprise or Community edition deployments.
 
 ## The `worker-auth` KMS key
 
@@ -132,6 +132,9 @@ found on the [Connections/TLS page](/boundary/docs/concepts/security/connections
 a worker is registered with [worker-led or controller-led
 methods](/boundary/docs/configuration/worker/worker-configuration) this is unnecessary.
 
+You can configure `worker-auth` KMS keys for HCP, Enterprise, and Community edition deployments.
+However, you cannot configure `worker-auth` keys for the first set of workers that connect to your HCP workers.
+
 ## The `recovery` KMS key
 
 The `recovery` KMS key is used for rescue/recovery operations that can be used
@@ -144,7 +147,7 @@ cannot be replayed by an adversary, and also to ensure that each operation must
 be individually authenticated by a client so that revoking access to the KMS has
 an immediate result.
 
-You can configure `recovery` KMS keys for self-managed, Enterprise or Community edition deployments.
+You can configure `recovery` KMS keys for self-managed Enterprise or Community edition deployments.
 
 <Note>
 
@@ -185,4 +188,4 @@ with access to that KMS can decrypt the values. Boundary will check for a
 `config` KMS block on startup, and if it exists, will use it to decrypt any
 encrypted values found at startup time.
 
-You can configure `config` KMS keys for self-managed, Enterprise or Community edition deployments.
+You can configure `config` KMS keys for self-managed Enterprise or Community edition deployments.