Azure offers three server-side encryption models. These three models offer different key management characteristics, which can be chosen from according to the requirements of the solution: 

• Service-managed keys: This gives low overhead because it provides a combination of controls and convenience.
• Customer-managed keys: Gives you control over the keys, including Bring Your Own Keys (BYOK) support, or allows you to generate new ones.
• Service-managed keys in customer-controlled hardware: This can be used to enable and manage keys in your own repository, outside of Microsoft control. This is also called Host Your Own Key (HYOK). However, configuration is complex, and most Azure services don't support this model.

In the next section, we are going to cover how to encrypt data at rest and in transit.