Merge pull request #6418 from DBAlberto/patch-2

Add support for key version on the key vault

Author: ktoliver

docs/relational-databases/security/encryption/setup-steps-for-extensible-key-management-using-the-azure-key-vault.md

@@ -442,6 +442,20 @@ For a note about the minimum permission levels needed for each action in this se
     WITH PROVIDER_KEY_NAME = 'ContosoRSAKey0',  
     CREATION_DISPOSITION = OPEN_EXISTING;  
     ```  
+  
+   Beginning with updated version 1.0.5.0 of the SQL Server connector, you can refer to a specific key version in the Azure key vault:
+   
+   ```sql  
+   CREATE ASYMMETRIC KEY EKMSampleASYKey
+   FROM PROVIDER [AzureKeyVault_EKM]  
+   WITH PROVIDER_KEY_NAME = 'ContosoRSAKey0/1a4d3b9b393c4678831ccc60def75379',  
+   CREATION_DISPOSITION = OPEN_EXISTING; 
+   ```
+
+   In the preceding example script, `1a4d3b9b393c4678831ccc60def75379` represents the specific version of the key that will be used. If you use this script, it doesn't matter if you update the key with a new version. The key version (for example) `1a4d3b9b393c4678831ccc60def75379` will always be used for database operations. For this scenario, you must complete two prerequisites:
+   
+   1. Create a **SQL Server Cryptographic Provider** key on **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\\**.
+   1. Delegate access permissions on the **SQL Server Cryptographic Provider** key to the user account running the SQL Server database engine service.
 
 1. Create a new login by using the asymmetric key in [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] that you created in the preceding step.
 
@@ -481,8 +495,7 @@ For a note about the minimum permission levels needed for each action in this se
     CREATE DATABASE ENCRYPTION KEY
     WITH ALGORITHM = AES_256
     ENCRYPTION BY SERVER ASYMMETRIC KEY EKMSampleASYKey;
-    ```
-  
+    ``` 
 1. Encrypt the test database. Enable TDE by setting ENCRYPTION ON.
 
      ```sql