I got the a good question below from Zaniar this week:

My question —- If Azure VM’s are encrypted at rest now (SSE) does this mean the data on the volumes are also encrypted? and if we want a further layer of encryption should we use BEK or KEK which one is better?