Key Vault keys docset audit: fix FIPS levels, update SDKs, clean up stale content

- secure-keys.md: Fix FIPS compliance levels to match about-keys.md
  (FIPS 140-2 Level 3 → FIPS 140-3 Level 3 for Managed HSM;
   HSM-protected keys updated to reflect HSM Platform 2)
- quick-create-java.md: Update Maven dependencies
  (azure-security-keyvault-keys 4.2.3 → 4.10.6,
   azure-identity 1.2.0 → 1.18.2)
- quick-create-bicep.md, quick-create-template.md: Update Bicep/ARM
  API version from 2021-11-01-preview → 2024-11-01
- how-to-configure-key-rotation.md: Update ARM API version
  from 2021-06-01-preview → 2024-11-01
- javascript-developer-guide-get-started.md: Standardize placeholder
  YOUR-DIRECTORY → <your-directory>
- hsm-protected-keys-ncipher.md: Reword stale deprecation warning
  (method no longer supported since June 2021, not future tense)
- hsm-protected-keys-byok.md: Add missing Utimaco BYOK tool URL

Co-authored-by: Copilot <[email protected]>

Author: msmbaldwin

articles/key-vault/keys/how-to-configure-key-rotation.md

@@ -205,7 +205,7 @@ You can configure the key rotation policy by using ARM templates.
     "resources": [
         {
             "type": "Microsoft.KeyVault/vaults/keys",
-            "apiVersion": "2021-06-01-preview",
+            "apiVersion": "2024-11-01",
             "name": "[concat(parameters('vaultName'), '/', parameters('keyName'))]",
             "location": "[resourceGroup().location]",
             "properties": {

articles/key-vault/keys/hsm-protected-keys-byok.md

@@ -64,7 +64,7 @@ The following table lists prerequisites for using BYOK in Azure Key Vault:
 |Securosys SA|Manufacturer,<br/>HSM as a service|Primus HSM family, Securosys Clouds HSM|[Primus BYOK tool and documentation](https://www.securosys.com/primus-azure-byok)|
 |StorMagic|ISV (Enterprise Key Management System)|Multiple HSM brands and models including<ul><li>Utimaco</li><li>Thales</li><li>nCipher</li></ul>|See [StorMagic site for details](https://stormagic.com/doc/svkms/Content/Integrations/Azure_KeyVault_BYOK.htm). [SvKMS and Azure Key Vault BYOK](https://stormagic.com/doc/svkms/Content/Integrations/Azure_KeyVault_BYOK.htm)|
 |Thales|Manufacturer|<ul><li>Luna HSM 7 family with firmware version 7.3 or newer</li></ul>| [Luna BYOK tool and documentation](https://supportportal.thalesgroup.com/csm?id=kb_article_view&sys_kb_id=3892db6ddb8fc45005c9143b0b961987&sysparm_article=KB0021016)|
-|Utimaco|Manufacturer,<br/>HSM as a service|u.trust Anchor, CryptoServer| Utimaco BYOK tool and Integration guide |
+|Utimaco|Manufacturer,<br/>HSM as a service|u.trust Anchor, CryptoServer|[Utimaco BYOK tool and integration guide](https://utimaco.com/integration-guides/microsoft-azure-key-vault-byok-utimaco-securityserver)|
 |Yubico|Manufacturer|YubiHSM 2| [YubiHSM 2 BYOK User Guide for Azure](https://resources.yubico.com/53ZDUYE6/at/2rsrrspcftx4xkp8fn9nsgv/YubiHSM_2_BYOK_User_Guide_for_Azure.pdf?format=pdf) |
 ||||
 

articles/key-vault/keys/hsm-protected-keys-ncipher.md

@@ -17,7 +17,7 @@ ms.custom: devx-track-azurepowershell
 # Import HSM-protected keys for Key Vault (nCipher)
 
 > [!WARNING]
-> The HSM-key import method described in this document is **deprecated** and will not be supported after June 30, 2021. It only works with nCipher nShield family of HSMs with firmware 12.40.2 or newer. Using [new method to import HSM-keys](hsm-protected-keys-byok.md) is strongly recommended.
+> The HSM-key import method described in this document is **deprecated and no longer supported** (since June 30, 2021). It only works with nCipher nShield family of HSMs with firmware 12.40.2 or newer. Use the [current BYOK method to import HSM-keys](hsm-protected-keys-byok.md) instead.
 
 [!INCLUDE [updated-for-az](~/reusable-content/ce-skilling/azure/includes/updated-for-az.md)]
 

articles/key-vault/keys/javascript-developer-guide-get-started.md

@@ -26,10 +26,10 @@ This article shows you how to connect to Azure Key Vault by using the Azure Key
 
 ## Set up your project
 
-1. Open a command prompt and change into your project folder. Change `YOUR-DIRECTORY` to your folder name:
+1. Open a command prompt and change into your project folder. Change `<your-directory>` to your folder name:
 
     ```bash
-    cd YOUR-DIRECTORY
+    cd <your-directory>
     ```
 
 1. If you don't have a `package.json` file already in your directory, initialize the project to create the file:

articles/key-vault/keys/quick-create-bicep.md

@@ -69,7 +69,7 @@ param keySize int = 2048
 ])
 param curveName string = ''
 
-resource vault 'Microsoft.KeyVault/vaults@2021-11-01-preview' = {
+resource vault 'Microsoft.KeyVault/vaults@2024-11-01' = {
   name: vaultName
   location: location
   properties: {
@@ -92,7 +92,7 @@ resource vault 'Microsoft.KeyVault/vaults@2021-11-01-preview' = {
   }
 }
 
-resource key 'Microsoft.KeyVault/vaults/keys@2021-11-01-preview' = {
+resource key 'Microsoft.KeyVault/vaults/keys@2024-11-01' = {
   parent: vault
   name: keyName
   properties: {

articles/key-vault/keys/quick-create-java.md

@@ -100,13 +100,13 @@ Open the *pom.xml* file in your text editor. Add the following dependency elemen
     <dependency>
       <groupId>com.azure</groupId>
       <artifactId>azure-security-keyvault-keys</artifactId>
-      <version>4.2.3</version>
+      <version>4.10.6</version>
     </dependency>
 
     <dependency>
       <groupId>com.azure</groupId>
       <artifactId>azure-identity</artifactId>
-      <version>1.2.0</version>
+      <version>1.18.2</version>
     </dependency>
 ```
 

articles/key-vault/keys/quick-create-template.md

@@ -8,7 +8,7 @@ ms.service: azure-key-vault
 ms.subservice: keys
 ms.topic: quickstart
 ms.custom: mvc, subject-armqs, mode-arm, devx-track-arm-template
-ms.date: 11/19/2025
+ms.date: 04/09/2026
 
 ms.author: mbaldwin
 #Customer intent: As a security admin who is new to Azure, I want to use Key Vault to securely store keys and passwords in Azure.
@@ -107,7 +107,7 @@ To complete this article:
   "resources": [
     {
       "type": "Microsoft.KeyVault/vaults",
-      "apiVersion": "2021-11-01-preview",
+      "apiVersion": "2024-11-01",
       "name": "[parameters('vaultName')]",
       "location": "[parameters('location')]",
       "properties": {
@@ -131,7 +131,7 @@ To complete this article:
     },
     {
       "type": "Microsoft.KeyVault/vaults/keys",
-      "apiVersion": "2021-11-01-preview",
+      "apiVersion": "2024-11-01",
       "name": "[format('{0}/{1}', parameters('vaultName'), parameters('keyName'))]",
       "properties": {
         "kty": "[parameters('keyType')]",

articles/key-vault/keys/secure-keys.md

@@ -7,7 +7,7 @@ ms.service: azure-key-vault
 ms.subservice: keys
 ms.topic: best-practice
 ms.custom: horz-security
-ms.date: 11/10/2025
+ms.date: 04/09/2026
 ms.author: mbaldwin
 ai-usage: ai-assisted
 # Customer intent: As a developer using Key Vault keys, I want to implement key-specific security best practices.
@@ -25,9 +25,9 @@ Azure Key Vault supports different key types with varying protection levels. Cho
 
 - **Software-protected keys (RSA, EC)**: Keys protected by FIPS 140-2 Level 1 validated software. Suitable for most applications requiring encryption and signing operations.
 
-- **HSM-protected keys (RSA-HSM, EC-HSM)**: Keys protected by FIPS 140-2 Level 2 validated hardware security modules (HSMs). Recommended for high-security scenarios requiring hardware-backed key protection.
+- **HSM-protected keys (RSA-HSM, EC-HSM)**: Keys protected by hardware security modules (HSMs). All new keys and key versions are created on FIPS 140-3 Level 3 validated HSMs (HSM Platform 2). Recommended for high-security scenarios requiring hardware-backed key protection.
 
-- **Managed HSM keys**: Keys in dedicated, single-tenant HSM pools with FIPS 140-2 Level 3 validated hardware. Required for the highest security and compliance requirements.
+- **Managed HSM keys**: Keys in dedicated, single-tenant HSM pools with FIPS 140-3 Level 3 validated hardware. Required for the highest security and compliance requirements.
 
 For more information about key types, see [About Azure Key Vault keys](about-keys.md).