When talking about VM data encryption a lot of customers start looking at Azure Disk Encryption (ADE) and Storage Service Encryption (SSE).  These two offerings are similar, but unique.  Whether you stick with SSE (always enabled) or add ADE on top is up to you – really it depends on your security needs and design.

Below is my quick breakdown of the pros and cons to help you decide what is the best design for your organization.

SSE (default)

• https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
• PRO – Transparent to the customer, does not impact performance, applies to entire storage account or managed disk automatically, supports customer managed keys (CMK)
• CON – If the storage account is compromised all disks within are vulnerable unless separately encrypted, cannot turn off (could be a PRO)

ADE

• https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview
• PRO – Each disk is individually protected, allows the VM backup to also be encrypted, supports customer managed keys (CMK)
• CON – can impact performance, manual implementation (no portal option), may impact VM application design (i.e. https://nicolewelchblog.com/2018/10/25/bitlocker-and-domain-controller-logical-disks/)

and thanks for Eric Marks for raising this question!