More edits Key management for encryption at rest

Mostly clarity and flow stuff.
newrelic · Aug 31, 2021 · 02c1bb6 · 02c1bb6
1 parent a90bafe
commit 02c1bb6
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/...nt/docs/security/security-privacy/compliance/key-management-encryption-rest.mdx b/...nt/docs/security/security-privacy/compliance/key-management-encryption-rest.mdx
@@ -9,7 +9,7 @@ redirects:
   - /docs/security/new-relic-security/compliance/key-management-encryption-rest
 ---
 
-For customers with heightened regulatory or privacy needs, New Relic offers account-based, [FIPS-compliant](https://csrc.nist.gov/publications/detail/fips/140/2/final) encryption-at-rest capabilities with unique keys per account. This protects data from inadvertent or intentional exposure, even if an attacker has access to the file system.
+For customers with heightened regulatory or privacy needs, New Relic offers account-based, [FIPS-compliant](https://csrc.nist.gov/publications/detail/fips/140/2/final) encryption-at-rest capabilities with unique keys per account. This protects data from inadvertent or intentional exposure, even in the event an attacker has access to the file system.
 
 It's important to maintain both a high level of protection and also optimal performance and long-term storage and retrieval of data. To do this, New Relic uses a two-tier system consisting of a data encryption key (DEK) and a master key, each with separate usage, storage, and rotation policies.
 
@@ -25,7 +25,7 @@ In order to read a file, the process is reversed: First, the [NRDB](/docs/teleme
 
 ## Key rotation [#rotation]
 
-To prevent ciphertext attacks, a new data encryption key is generated per account every 24 hours or when the existing DEK has been used to encrypt 64 GB of data.
+To prevent ciphertext attacks, a new data encryption key is generated for each account when the existing DEK has been used to encrypt 64 GB of data or every 24 hours if the data threshold is not met before then. 
 
 The master key is used only to encrypt DEKs, so a ciphertext attack against it is improbable. In compliance with FIPS guidelines, the KMS automatically rotates the master key once a year. Each New Relic region contains a single master key, which is never transmitted out of the KMS.