Clarify TDE cannot be disabled once enabled

JeremyChen-179 · web-flow · commit dcebd0b2ba8e · 2025-08-25T13:40:01.000+10:00
Updated the TDE section in the CMEK doc to make it explicit that:
- Once TDE is enabled, it cannot be disabled.
- If a customer wants to disable it, they must create a new instance and migrate data.

This change is intended to avoid confusion for users asking if TDE can be turned off.
diff --git a/docs/cloud/security/cmek.md b/docs/cloud/security/cmek.md
@@ -19,7 +19,7 @@ Enhanced encryption is currently available in AWS and GCP services. Azure is com
 
 ## Transparent Data Encryption (TDE) {#transparent-data-encryption-tde}
 
-TDE must be enabled on service creation. Existing services cannot be encrypted after creation.
+TDE must be enabled on service creation. Existing services cannot be encrypted after creation. Once TDE is enabled, it cannot be disabled. All data in the service will remain encrypted. If you want to disable TDE after it has been enabled, you must create a new service and migrate your data there.
 
 1. Select `Create new service`
 2. Name the service
