Keys docset audit: nCipher notice, access policy label, BYOK fixes

- hsm-protected-keys-ncipher.md: Add historical-reference-only notice
  below the deprecation warning to clarify outdated prereqs
  (Windows 7, .NET 4.5, PowerShell 1.1.0) are not updated
- about-keys-details.md: Label vault access policy permissions
  section as (legacy)
- hsm-protected-keys-byok.md: Add updated-for-az include
  (article uses PowerShell; consistent with nCipher article)
- byok-specification.md: Update REST API version 7.0 → 7.6;
  fix 'bytes' → 'bits' in Azure SQL key-length reference

Co-authored-by: Copilot <[email protected]>

Author: msmbaldwin

articles/key-vault/keys/about-keys-details.md

@@ -167,7 +167,7 @@ You can specify more application-specific metadata in the form of tags. Key Vaul
 
 Key Vault provides access control for keys at the Key Vault level, which acts as the container for keys. You can control access to keys by using either Key Vault [Azure role-based access control](../general/rbac-guide.md) (recommended) or the legacy [vault access policy](../general/assign-access-policy.md) permission model. Azure RBAC is the default and recommended authorization model. It has three predefined roles to manage keys: **Key Vault Crypto Officer**, **Key Vault Crypto User**, and **Key Vault Service Encryption User**. You can scope these roles to the subscription, resource group, or vault level. For more information, see [Azure RBAC vs. access policies](../general/rbac-access-policy.md).
 
-Vault access policy permission model permissions:
+Vault access policy permission model permissions (legacy):
 
 - Permissions for key management operations
   - *get*: Read the public part of a key, plus its attributes

articles/key-vault/keys/byok-specification.md

@@ -70,7 +70,7 @@ az keyvault key create --kty RSA-HSM --size 4096 --name KEKforBYOK --ops import
 ```
 
 > [!NOTE]
-> Services support different KEK lengths. Azure SQL, for instance, only supports key lengths of [2048 or 3072 bytes](/azure/azure-sql/database/transparent-data-encryption-byok-overview#requirements-for-configuring-customer-managed-tde). Consult the documentation for your service for specifics.
+> Services support different KEK lengths. Azure SQL, for instance, only supports key lengths of [2048-bit or 3072-bit](/azure/azure-sql/database/transparent-data-encryption-byok-overview#requirements-for-configuring-customer-managed-tde). Consult the documentation for your service for specifics.
 
 ### Retrieve the public key of the KEK
 
@@ -140,7 +140,7 @@ az keyvault key import --vault-name <vault-name> --name <key-name> --kty EC-HSM
 When you run this command, it sends a REST API request as follows:
 
 ```
-PUT https://<vault-name>.vault.azure.net/keys/<key-name>?api-version=7.0
+PUT https://<vault-name>.vault.azure.net/keys/<key-name>?api-version=7.6
 ```
 
 Request body when importing an RSA key:

articles/key-vault/keys/hsm-protected-keys-byok.md

@@ -12,6 +12,8 @@ ms.date: 01/30/2026
 ms.author: mbaldwin
 ---
 
+[!INCLUDE [updated-for-az](~/reusable-content/ce-skilling/azure/includes/updated-for-az.md)]
+
 # Import HSM-protected keys to Key Vault (BYOK)
 
 For added assurance when you use Azure Key Vault, you can import or generate a key in a hardware security module (HSM); the key never leaves the HSM boundary. This scenario is often referred to as *bring your own key (BYOK)*. Key Vault uses [FIPS 140 validated HSMs](/azure/key-vault/keys/about-keys#compliance) to protect your keys.

articles/key-vault/keys/hsm-protected-keys-ncipher.md

@@ -19,6 +19,9 @@ ms.custom: devx-track-azurepowershell
 > [!WARNING]
 > The HSM-key import method described in this document is **deprecated and no longer supported** (since June 30, 2021). It only works with nCipher nShield family of HSMs with firmware 12.40.2 or newer. Use the [current BYOK method to import HSM-keys](hsm-protected-keys-byok.md) instead.
 
+> [!NOTE]
+> This article is retained for historical reference only. The prerequisites, tools, and procedures described here reflect the original requirements at the time of publication and have not been updated. Do not follow these instructions for new key imports.
+
 [!INCLUDE [updated-for-az](~/reusable-content/ce-skilling/azure/includes/updated-for-az.md)]
 
 For added assurance, when you use Azure Key Vault, you can import or generate keys in hardware security modules (HSMs) that never leave the HSM boundary. This scenario is often referred to as *bring your own key*, or BYOK. Azure Key Vault uses nCipher nShield family of HSMs (FIPS 140-2 Level 2 validated) to protect your keys.