I got the a good question below from Zaniar this week:

My question —- If Azure VM’s are encrypted at rest now (SSE) does this mean the data on the volumes are also encrypted? and if we want a further layer of encryption should we use BEK or KEK which one is better?

It comes down to a matter of trust and requirements. Microsoft encrypts Managed Disks and Storage Account data at rest by default and the data is encrypted in transit with encrypted transfer protocols.  If there is a simple requirement to encrypt data at rest and in transit, then everything can be left default and that requirement is met. 

However, Storage Service Encryption decrypts data at retrieval.  Data would be decrypted at a new location if someone copied it outside the environment.  This is true if that person was a legitimate user or if someone got unauthorized access to an account.  With Azure Disk Encryption, the data would still be encrypted if a virtual disk was copied to a new location and require the key to decrypt.

By default, both Storage Service Encryption and Azure Disk Encryption use a Microsoft encryption keys.  This is where trust comes into play.  There is an option for both to uses a customer managed key if you want to add an extra layer of security. 

If I was hosting sensitive medical records or proprietary source code for a client on a server, I may consider using Azure Disk Encryption with a customer managed key.  It all comes down to the security requirements of an organization.

As for BEK and KEK, when I wrote the first couple of posts on Azure Disk Encryption there were limitations around backup and recovery between the two.  That is no longer an issue, either will give similar results.