Merge pull request #2714 from msmbaldwin/akv-keys-audit

Key Vault keys docset audit: retire nCipher article, fix FIPS levels, update SDKs, clean up stale content

Author: denrea

.openpublishing.redirection.key-vault.json

@@ -599,6 +599,11 @@
       "source_path_from_root": "/articles/key-vault/secrets/about-managed-storage-account-keys.md",
       "redirect_url": "/azure/storage/common/authorize-data-access",
       "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/key-vault/keys/hsm-protected-keys-ncipher.md",
+      "redirect_url": "/azure/key-vault/keys/hsm-protected-keys-byok",
+      "redirect_document_id": false
     }
   ]
 }

articles/key-vault/keys/about-keys-details.md

@@ -7,7 +7,7 @@ author: msmbaldwin
 ms.service: azure-key-vault
 ms.subservice: keys
 ms.topic: concept-article
-ms.date: 04/02/2026
+ms.date: 04/09/2026
 ms.author: mbaldwin
 ---
 
@@ -167,7 +167,7 @@ You can specify more application-specific metadata in the form of tags. Key Vaul
 
 Key Vault provides access control for keys at the Key Vault level, which acts as the container for keys. You can control access to keys by using either Key Vault [Azure role-based access control](../general/rbac-guide.md) (recommended) or the legacy [vault access policy](../general/assign-access-policy.md) permission model. Azure RBAC is the default and recommended authorization model. It has three predefined roles to manage keys: **Key Vault Crypto Officer**, **Key Vault Crypto User**, and **Key Vault Service Encryption User**. You can scope these roles to the subscription, resource group, or vault level. For more information, see [Azure RBAC vs. access policies](../general/rbac-access-policy.md).
 
-Vault access policy permission model permissions:
+Vault access policy permission model permissions (legacy):
 
 - Permissions for key management operations
   - *get*: Read the public part of a key, plus its attributes

articles/key-vault/keys/byok-specification.md

@@ -7,7 +7,7 @@ author: msmbaldwin
 ms.service: azure-key-vault
 ms.subservice: keys
 ms.topic: feature-guide
-ms.date: 03/26/2026
+ms.date: 04/09/2026
 ms.author: mbaldwin 
 ms.custom: devx-track-azurecli
 ---
@@ -70,7 +70,7 @@ az keyvault key create --kty RSA-HSM --size 4096 --name KEKforBYOK --ops import
 ```
 
 > [!NOTE]
-> Services support different KEK lengths. Azure SQL, for instance, only supports key lengths of [2048 or 3072 bytes](/azure/azure-sql/database/transparent-data-encryption-byok-overview#requirements-for-configuring-customer-managed-tde). Consult the documentation for your service for specifics.
+> Services support different KEK lengths. Azure SQL, for instance, only supports key lengths of [2048-bit or 3072-bit](/azure/azure-sql/database/transparent-data-encryption-byok-overview#requirements-for-configuring-customer-managed-tde). Consult the documentation for your service for specifics.
 
 ### Retrieve the public key of the KEK
 
@@ -140,7 +140,7 @@ az keyvault key import --vault-name <vault-name> --name <key-name> --kty EC-HSM
 When you run this command, it sends a REST API request as follows:
 
 ```
-PUT https://<vault-name>.vault.azure.net/keys/<key-name>?api-version=7.0
+PUT https://<vault-name>.vault.azure.net/keys/<key-name>?api-version=7.6
 ```
 
 Request body when importing an RSA key:

articles/key-vault/keys/how-to-configure-key-rotation.md

@@ -8,7 +8,7 @@ ms.custom: devx-track-arm-template, sfi-image-nochange, copilot-scenario-highlig
 ms.service: azure-key-vault
 ms.subservice: keys
 ms.topic: how-to
-ms.date: 04/02/2026
+ms.date: 04/09/2026
 ms.author: mbaldwin
 ---
 
@@ -205,7 +205,7 @@ You can configure the key rotation policy by using ARM templates.
     "resources": [
         {
             "type": "Microsoft.KeyVault/vaults/keys",
-            "apiVersion": "2021-06-01-preview",
+            "apiVersion": "2024-11-01",
             "name": "[concat(parameters('vaultName'), '/', parameters('keyName'))]",
             "location": "[resourceGroup().location]",
             "properties": {

articles/key-vault/keys/hsm-protected-keys-byok.md

@@ -8,12 +8,14 @@ ms.custom: devx-track-azurepowershell, devx-track-azurecli, copilot-scenario-hig
 ms.service: azure-key-vault
 ms.subservice: keys
 ms.topic: tutorial
-ms.date: 01/30/2026
+ms.date: 04/09/2026
 ms.author: mbaldwin
 ---
 
 # Import HSM-protected keys to Key Vault (BYOK)
 
+[!INCLUDE [updated-for-az](~/reusable-content/ce-skilling/azure/includes/updated-for-az.md)]
+
 For added assurance when you use Azure Key Vault, you can import or generate a key in a hardware security module (HSM); the key never leaves the HSM boundary. This scenario is often referred to as *bring your own key (BYOK)*. Key Vault uses [FIPS 140 validated HSMs](/azure/key-vault/keys/about-keys#compliance) to protect your keys.
 
 > [!IMPORTANT]
@@ -64,7 +66,7 @@ The following table lists prerequisites for using BYOK in Azure Key Vault:
 |Securosys SA|Manufacturer,<br/>HSM as a service|Primus HSM family, Securosys Clouds HSM|[Primus BYOK tool and documentation](https://www.securosys.com/primus-azure-byok)|
 |StorMagic|ISV (Enterprise Key Management System)|Multiple HSM brands and models including<ul><li>Utimaco</li><li>Thales</li><li>nCipher</li></ul>|See [StorMagic site for details](https://stormagic.com/doc/svkms/Content/Integrations/Azure_KeyVault_BYOK.htm). [SvKMS and Azure Key Vault BYOK](https://stormagic.com/doc/svkms/Content/Integrations/Azure_KeyVault_BYOK.htm)|
 |Thales|Manufacturer|<ul><li>Luna HSM 7 family with firmware version 7.3 or newer</li></ul>| [Luna BYOK tool and documentation](https://supportportal.thalesgroup.com/csm?id=kb_article_view&sys_kb_id=3892db6ddb8fc45005c9143b0b961987&sysparm_article=KB0021016)|
-|Utimaco|Manufacturer,<br/>HSM as a service|u.trust Anchor, CryptoServer| Utimaco BYOK tool and Integration guide |
+|Utimaco|Manufacturer,<br/>HSM as a service|u.trust Anchor, CryptoServer|[Utimaco BYOK tool and integration guide](https://utimaco.com/integration-guides/microsoft-azure-key-vault-byok-utimaco-securityserver)|
 |Yubico|Manufacturer|YubiHSM 2| [YubiHSM 2 BYOK User Guide for Azure](https://resources.yubico.com/53ZDUYE6/at/2rsrrspcftx4xkp8fn9nsgv/YubiHSM_2_BYOK_User_Guide_for_Azure.pdf?format=pdf) |
 ||||