Ok, this is for Azure SQL. Using an on-premise SQL server on a VM in Azure I have to recreate the chain, Mapped AsyKey -> DEK, using a credential/login and set the thumbprint of the mapped key to the same value as the source SQL Server that performed the backup with the Key (I obviously must have this key in vault).
My question...
In the vault the function "New Version" of the key exists. It sets a new version number and marks it as "current version" and the older as "older version". You can decide to set them enabled or disabled. If I encrypt a DB using a version and do some bakups and then I create a new version of the key I can recrypt the DEK using new version and this works but I cannot restore any backup made with older version of the key also if it is enabled. I cannot restore them even if I set enable only the "version" used to make the backups. SQL returns me an error in the encryption. I'd like to know if this "New version" function is supported by SQL IaaS in order to rotate the keys or if I must necessarily create a new key every time I need to rotate and preserve the older until I could have need it for my backups.