A CryptoKeyVersion has a state:
DISABLED): This version may not be used, but the key material is still available, and the version can be placed back into the
DESTROYED): This version is destroyed, and the key material is no longer stored in Cloud KMS. Any ciphertext encrypted with this version is not recoverable. A version may not leave this state once entered.
A CryptoKeyVersion can move from Enabled to Disabled and from Disabled to Enabled using UpdateCryptoKeyVersion. A CryptoKeyVersion which is Enabled or Disabled can move to Scheduled for destruction using DestroyCryptoKeyVersion, and it can be moved from Scheduled for destruction to Disabled using RestoreCryptoKeyVersion.
Each CryptoKey has a designated primary version which is used at that point in time to encrypt data.
When a CryptoKey is used to Encrypt plaintext, its primary CryptoKeyVersion is used to encrypt that data. The information as to which version was used to encrypt data is stored in the ciphertext of the data. Only one version of a CryptoKey can be primary at any given point in time.
If the primary CryptoKeyVersion is disabled, the CryptoKey cannot be used to encrypt data. Note that an enabled primary CryptoKeyVersion can be disabled, scheduled for destruction or destroyed, and a version which is not enabled can be made the primary version.
Which CryptoKeyVersion is primary does not impact the ability to decrypt data. A CryptoKeyVersion can be used to decrypt data as long as it is enabled.
CryptoKey and CryptoKeyVersion states
CryptoKeys do not have states, only CryptoKeyVersions have states.
In order for a CryptoKey to be available for use to encrypt data, it needs to be have a primary CryptoKeyVersion which is enabled.
In order for a CryptoKey to be available for use to decrypt data, the CryptoKeyVersion which was originally used to encrypt the data must be enabled. That CryptoKeyVersion need not be the primary version at decrypt time.