[Key Vault] Add migration guide for azure-keyvault-keys

[mccoyp]

Part of #15118.

This also includes some (very) minor fixes to the azure-keyvault-keys README.

[chlowell]

Suggested change

	You can also create a `CryptographyClient` to enable cryptographic operations (encrypt/decrypt, wrap/unwrap, sign/verify) using a particular key.
	You can also create a `CryptographyClient` to perform cryptographic operations (encrypt/decrypt, wrap/unwrap, sign/verify) using a particular key.

[chlowell]

"oct" will get an error from a standard Key Vault. Also may be useful to show the KeyType enum here:

Suggested change

	# create a key with specified type
	key = key_client.create_key(name="key-name", key_type="oct")
	from azure.keyvault.keys import KeyType
	# create a key with specified type
	key = key_client.create_key(name="key-name", key_type=KeyType.ec)

[chlowell]

Suggest showing KeyCurveName here

[chlowell]

This isn't mentioned in the text or used in the example?

[mccoyp]

This variable isn't used directly, but I split up the process of fetching the key version because I wanted to clearly show how the KeyId was being used. I don't think condensing lines 159/160 into key_version = KeyId(key_item.kid).version would be too complicated though, if you think that's neater

[chlowell]

Ah, my bad, it's used in the sense I meant on the next line, it's fine like this 🤓

[chlowell]

Another difference is that CryptographyClient performs operations locally when it has or can get the key material whereas every KeyVaultClient crypto operation is performed by Key Vault.

[chlowell]

This implies CryptographyClient does everything locally, but actually it falls back to Key Vault when it can't get the key material.

[mccoyp]

Hm, that makes sense. Is there documentation of the CryptographyClient's behavior that I could refer/link to, or would this have to be gleaned from the source code?

[chlowell]

Good question. It should be documented but is not: #15859