diff --git a/crates/kms/examples/demo1.rs b/crates/kms/examples/kms_local_demo.rs
similarity index 100%
rename from crates/kms/examples/demo1.rs
rename to crates/kms/examples/kms_local_demo.rs
diff --git a/crates/kms/examples/demo2.rs b/crates/kms/examples/kms_vault_kv_demo.rs
similarity index 100%
rename from crates/kms/examples/demo2.rs
rename to crates/kms/examples/kms_vault_kv_demo.rs
diff --git a/crates/kms/src/backends/local.rs b/crates/kms/src/backends/local.rs
index d2ead7d3..5cab0116 100644
--- a/crates/kms/src/backends/local.rs
+++ b/crates/kms/src/backends/local.rs
@@ -249,12 +249,9 @@ impl LocalKmsClient {
 
 #[async_trait]
 impl KmsClient for LocalKmsClient {
-    async fn generate_data_key(&self, request: &GenerateKeyRequest, context: Option<&OperationContext>) -> Result<DataKey> {
+    async fn generate_data_key(&self, request: &GenerateKeyRequest, _context: Option<&OperationContext>) -> Result<DataKey> {
         debug!("Generating data key for master key: {}", request.master_key_id);
 
-        // Verify master key exists and get its version
-        let master_key_info = self.describe_key(&request.master_key_id, context).await?;
-
         // Generate random data key material
         let key_length = match request.key_spec.as_str() {
             "AES_256" => 32,
@@ -272,7 +269,6 @@ impl KmsClient for LocalKmsClient {
         let envelope = DataKeyEnvelope {
             key_id: uuid::Uuid::new_v4().to_string(),
             master_key_id: request.master_key_id.clone(),
-            master_key_version: master_key_info.version,
             key_spec: request.key_spec.clone(),
             encrypted_key: encrypted_key.clone(),
             nonce,
diff --git a/crates/kms/src/backends/vault.rs b/crates/kms/src/backends/vault.rs
index 43ae1834..3b652643 100644
--- a/crates/kms/src/backends/vault.rs
+++ b/crates/kms/src/backends/vault.rs
@@ -286,12 +286,9 @@ impl VaultKmsClient {
 
 #[async_trait]
 impl KmsClient for VaultKmsClient {
-    async fn generate_data_key(&self, request: &GenerateKeyRequest, context: Option<&OperationContext>) -> Result<DataKey> {
+    async fn generate_data_key(&self, request: &GenerateKeyRequest, _context: Option<&OperationContext>) -> Result<DataKey> {
         debug!("Generating data key for master key: {}", request.master_key_id);
 
-        // Verify master key exists and get its version
-        let master_key_info = self.describe_key(&request.master_key_id, context).await?;
-
         // Generate random data key material using the existing method
         let plaintext_key = generate_key_material(&request.key_spec)?;
 
@@ -302,7 +299,6 @@ impl KmsClient for VaultKmsClient {
         let envelope = DataKeyEnvelope {
             key_id: uuid::Uuid::new_v4().to_string(),
             master_key_id: request.master_key_id.clone(),
-            master_key_version: master_key_info.version,
             key_spec: request.key_spec.clone(),
             encrypted_key: encrypted_key.clone(),
             nonce,
diff --git a/crates/kms/src/encryption/dek.rs b/crates/kms/src/encryption/dek.rs
index feee92a6..e1ddc085 100644
--- a/crates/kms/src/encryption/dek.rs
+++ b/crates/kms/src/encryption/dek.rs
@@ -35,11 +35,6 @@ use std::collections::HashMap;
 pub struct DataKeyEnvelope {
     pub key_id: String,
     pub master_key_id: String,
-    /// Version of the master key (KEK) used to encrypt this DEK
-    /// This is critical for key rotation: when a KEK is rotated, we need to know
-    /// which version was used to encrypt each DEK so we can use the correct KEK version for decryption.
-    #[serde(default = "default_master_key_version")]
-    pub master_key_version: u32,
     pub key_spec: String,
     pub encrypted_key: Vec<u8>,
     pub nonce: Vec<u8>,
@@ -47,10 +42,6 @@ pub struct DataKeyEnvelope {
     pub created_at: chrono::DateTime<chrono::Utc>,
 }
 
-fn default_master_key_version() -> u32 {
-    1
-}
-
 /// Trait for encrypting and decrypting data encryption keys (DEK)
 ///
 /// This trait abstracts the encryption operations used to protect
@@ -280,7 +271,6 @@ mod tests {
         let envelope = DataKeyEnvelope {
             key_id: "test-key-id".to_string(),
             master_key_id: "master-key-id".to_string(),
-            master_key_version: 1,
             key_spec: "AES_256".to_string(),
             encrypted_key: vec![1, 2, 3, 4],
             nonce: vec![5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16],
@@ -301,7 +291,6 @@ mod tests {
             serde_json::from_slice(&serialized).expect("Deserialization should succeed");
         assert_eq!(deserialized.key_id, envelope.key_id);
         assert_eq!(deserialized.master_key_id, envelope.master_key_id);
-        assert_eq!(deserialized.master_key_version, envelope.master_key_version);
         assert_eq!(deserialized.encrypted_key, envelope.encrypted_key);
     }
 
@@ -322,7 +311,6 @@ mod tests {
             serde_json::from_str(old_envelope_json).expect("Should deserialize old format");
         assert_eq!(deserialized.key_id, "test-key-id");
         assert_eq!(deserialized.master_key_id, "master-key-id");
-        assert_eq!(deserialized.master_key_version, 1); // Should default to 1
     }
 }