Azure · heaths · Oct 13, 2022 · Oct 13, 2022 · Oct 13, 2022 · Oct 13, 2022
diff --git a/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.4-preview.1/certificates.json b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.4-preview.1/certificates.json
@@ -290,7 +290,7 @@
             "in": "path",
             "required": true,
             "type": "string",
-            "description": "The name of the issuer."
+            "description": "The name of the issuer. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information."
           },
           {
             "name": "parameter",
@@ -469,7 +469,7 @@
             "required": true,
             "type": "string",
             "pattern": "^[0-9a-zA-Z-]+$",
-            "description": "The name of the certificate."
+            "description": "The name of the certificate. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information."
           },
           {
             "name": "parameters",
@@ -521,7 +521,7 @@
             "required": true,
             "type": "string",
             "pattern": "^[0-9a-zA-Z-]+$",
-            "description": "The name of the certificate."
+            "description": "The name of the certificate. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information."
           },
           {
             "name": "parameters",
@@ -1557,6 +1557,7 @@
         },
         "key_usage": {
           "type": "array",
+          "description": "Defines how the certificate's key may be used.",
           "items": {
             "type": "string",
             "enum": [
@@ -1574,8 +1575,7 @@
               "name": "KeyUsageType",
               "modelAsString": true
             }
-          },
-          "description": "List of key usages."
+          }
         },
         "validity_months": {
           "x-ms-client-name": "ValidityInMonths",

diff --git a/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.4-preview.1/keys.json b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.4-preview.1/keys.json
@@ -42,7 +42,7 @@
             "required": true,
             "type": "string",
             "pattern": "^[0-9a-zA-Z-]+$",
-            "description": "The name for the new key. The system will generate the version name for the new key."
+            "description": "The name for the new key. The system will generate the version name for the new key. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information."
           },
           {
             "name": "parameters",
@@ -136,7 +136,7 @@
             "required": true,
             "type": "string",
             "pattern": "^[0-9a-zA-Z-]+$",
-            "description": "Name for the imported key."
+            "description": "Name for the imported key. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information."
           },
           {
             "name": "parameters",
@@ -567,7 +567,7 @@
         ],
         "operationId": "decrypt",
         "summary": "Decrypts a single block of encrypted data.",
-        "description": "The DECRYPT operation decrypts a well-formed block of ciphertext using the target encryption key and specified algorithm. This operation is the reverse of the ENCRYPT operation; only a single block of data may be decrypted, the size of this block is dependent on the target key and the algorithm to be used. The DECRYPT operation applies to asymmetric and symmetric keys stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/decrypt permission.",
+        "description": "The DECRYPT operation decrypts a well-formed block of ciphertext using the target encryption key and specified algorithm. This operation is the reverse of the ENCRYPT operation; only a single block of data may be decrypted, the size of this block is dependent on the target key and the algorithm to be used. The DECRYPT operation applies to asymmetric and symmetric keys stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/decrypt permission. Microsoft recommends not to use CBC algorithms for decryption without first ensuring the integrity of the ciphertext using an HMAC, for example. See https://docs.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information.",
         "parameters": [
           {
             "name": "key-name",
@@ -889,7 +889,7 @@
         ],
         "responses": {
           "200": {
-            "description": "A key bundle containing the key and its attributes.",
+            "description": "A JWS containing the key, its attributes, the result of the key release, and information about the request.",
             "schema": {
               "$ref": "#/definitions/KeyReleaseResult"
             }
@@ -1248,12 +1248,13 @@
           "type": "boolean"
         },
         "data": {
-          "description": "Blob encoding the policy rules under which the key can be released.",
+          "description": "Blob encoding the policy rules under which the key can be released. Blob must be base64 URL encoded.",
           "type": "string",
           "format": "base64url",
           "x-ms-client-name": "encodedPolicy"
         }
-      }
+      },
+      "description": "The policy rules under which the key can be exported."
     },
     "JsonWebKey": {
       "properties": {
@@ -1488,7 +1489,7 @@
         },
         "exportable": {
           "type": "boolean",
-          "description": "Indicates if the private key can be exported."
+          "description": "Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key."
         }
       },
       "description": "The attributes of a key managed by the key vault service."
@@ -1604,7 +1605,7 @@
       "properties": {
         "exportable": {
           "type": "boolean",
-          "description": "Indicates if the private key can be exported."
+          "description": "Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key."
         },
         "kty": {
           "x-ms-client-name": "keyType",
@@ -1871,7 +1872,7 @@
         "iv": {
           "type": "string",
           "format": "base64url",
-          "description": "Initialization vector for symmetric algorithms."
+          "description": "Cryptographically random, non-repeating initialization vector for symmetric algorithms."
         },
         "aad": {
           "type": "string",
@@ -2207,11 +2208,11 @@
       "properties": {
         "timeAfterCreate": {
           "type": "string",
-          "description": "Time after creation to attempt rotate. It will be in ISO 8601 format. Example: 90 days : \"P90D\" "
+          "description": "Time after creation to attempt to rotate. It only applies to rotate. It will be in ISO 8601 duration format. Example: 90 days : \"P90D\"  "
         },
         "timeBeforeExpiry": {
           "type": "string",
-          "description": "Time before expiry to attempt rotate. It will be in ISO 8601 format. Example: 90 days : \"P90D\""
+          "description": "Time before expiry to attempt to rotate or notify. It will be in ISO 8601 duration format. Example: 90 days : \"P90D\""
         }
       },
       "description": "A condition to be satisfied for an action to be executed."

diff --git a/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.4-preview.1/secrets.json b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.4-preview.1/secrets.json
@@ -42,7 +42,7 @@
             "required": true,
             "type": "string",
             "pattern": "^[0-9a-zA-Z-]+$",
-            "description": "The name of the secret."
+            "description": "The name of the secret. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information."
           },
           {
             "name": "parameters",

diff --git a/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.4-preview.1/storage.json b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.4-preview.1/storage.json
@@ -418,7 +418,7 @@
             "required": true,
             "type": "string",
             "pattern": "^[0-9a-zA-Z]+$",
-            "description": "The name of the storage account."
+            "description": "The name of the storage account. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information."
           },
           {
             "name": "parameters",
@@ -880,7 +880,7 @@
             "required": true,
             "type": "string",
             "pattern": "^[0-9a-zA-Z]+$",
-            "description": "The name of the SAS definition."
+            "description": "The name of the SAS definition. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information."
           },
           {
             "name": "parameters",