Azure key vault key/secret versioning

Question

I am planning to keep keys on key vault, but I am not clear about versioning of keys and secrets, I have some question about versioning of key/secret on Azure key vault.

1. How to create new version of existing key?
2. Is it possible to decrypt data encrypted with different version of same key?
3. Is it possible to set expiration date for certain version of key?

Answer 1

1. When you create a key with same name, Key Vault automatically creates a new version, as stated in the Create Key API:

If the named key already exists, Azure Key Vault creates a new version of the key.

2. Yes. When you create a key, Key Vault returns the full key id which includes the version (see the kid field in the Create Key response). You can specify the full key id including the version in the Decrypt API.

3. Yes. Both the Create Key and Update Key APIs allow you to specify the expiration date (see the exp attribute).

The above applies to secrets as well.