Hello Emil,
Thank you for pointing out that section, it is incorrect and I’ll get it fixed. In the case you describe, where a key has been deleted, the driver will return an error and not the encrypted blob.
As a best practice, when using envelope encryption, you should rotate the CMK. Once you have rotated the CMK you can use the rotate API (also referred to as rewrap) to apply the new CMK to your keyVault. This section in the docs gives an example of how to rotate to a new CMK (after you have created the new CMK in your KMS).
Sincerely,
Cynthia