KEK encryption doesn't do anything over BEK

[makhdumi]

From the documentation, it seems as if the LUKS passphrase is stored and retrieved from Azure KeyVault.

But all that's done is the key is written to KeyVault. It's seemingly never, ever read back. The passphrase is read from /mnt/azure_bek_disk/LinuxPassPhraseFileName, which is never updated from Key Vault.

Am I missing something? Is the documentation just misleading? What's the point of storing the passphrase in Azure Key Vault?

I think I'm misunderstanding the point of KEK. Is it just a convenience to automatically save the key for you to Azure Key Vault, so that you can use it later without having to ever retrieve it from the VM? i.e. is KEK not an extra security measure?

[ejarvi]

At a high level, the platform retrieves material from Key Vault and then provides it to the VM at time of boot. This process is similar to how attaching a USB key to a PC allows for unlock of an encrypted OS disk at boot.

Key Vault in turn provides the ability for customers to manage keys in this scenario. The permission for the platform to retrieve the key is granted on a per vault basis by each individual user that wants to opt in to disk encryption at the time of key vault provisioning, and remains customer managed after that.

With respect to KEK, the benefit of KEK on Linux is also primarily on the platform side, and its facilitation of platform capabilities such as HSM and Azure Backup for Managed Disks.