Data being encrypted at rest is usually a security requirement. But if you only care about passing security audits, you can use the managed keys of your cloud provider.

If you don't trust your cloud provider enough to let them manage your encryption, you should probably not use their services. If you use an cloud provider from USA, you should trust the USA too as they can access your data without letting you know. It probably applies to other countries too, but the big cloud providers are from USA.

They are however the entity most capable of actually accessing the data for nefarious purposes. Any other entity would need to go through the hoster first, which means either mounting a physical attack on the actual data center or compromising their systems to gain access.

However with dedicated servers the next step is more complicated for both the hoster and the potential other attackers, since the only chance they have here is to catch the key material during reboots, which is quite a bit more noisy than silently extracting the key from ram of a running VM (especially since they would need to mirror the disks or other complications to have access at the same time as you are using the machine).

If it's a colocated machine (or if the hoster trusts you enough with their dedicated machines) one can use TPM/Secure Boot to make the MITM attack very very difficult (since one can use something like dropbear to have an encrypted and authenticated connection to enter the encryption credentials and TPM/Secureboot can prevent manipulation of the bootloader).

I trust in Azure much more than solutions like that. I'd imagine most of their customers do too.

Then we are back to the starting point. If you are already trusting Azure what's exactly the threat model the encryption is supposed to protect against?

I see two: someone physically stealing the storage devices, or Microsoft disposing of the storage devices without destroying them first.

Which both mean that you cannot really trust Azure. Although the latter is an easy mistake to make for hosting providers and thus indeed a valid threat model.

The theft scenario is exactly the reason why you wouldn't want to trust Azure to do the encryption for you, since they can just extract the plain text data from the virtual machine. Unless you are saying you don't trust Azure datacenter techs only?

And for preventing the leakage from old storage devices very non-fancy and simplistic encryption setups are good enough (most of the complexity comes from trying to prevent/detect MITM or manipulation by the hosting provider).

> Unless you are saying you don't trust Azure datacenter techs only?

Yes, and also the local datacenter people. I understood that Microsoft didn’t build a datacenter in every region and rents some space in existing datacenters managed by other companies.