az keyvault key create \
  --vault-name prod-kv \
  --name customer-data-kek \
  --kty RSA-HSM

az keyvault key rotation-policy update \
  --vault-name prod-kv \
  --name customer-data-kek \
  --value '{
    "lifetimeActions": [
      {
        "trigger": {"timeAfterCreate": "P180D"},
        "action": {"type": "Rotate"}
      },
      {
        "trigger": {"timeBeforeExpiry": "P30D"},
        "action": {"type": "Notify"}
      }
    ],
    "attributes": {"expiryTime": "P2Y"}
  }'

az keyvault key encrypt \
  --vault-name prod-kv \
  --name customer-data-kek \
  --algorithm RSA-OAEP-256 \
  --value "$BASE64_DEK"