@Iain Shepherd Welcome to Microsoft Q&A Forum, Thank you for posting your query here!
It's a add extra layer of security, lets say if some knows the secret which is plain text then they can easily get the data from the secret and open the encrypted disk, when you use KEY, it wraps the secrets with the key, So that in order to retrieve the secret content you need to decode it using Key
Additional information: Encryption keys and secrets are safeguarded in your Azure Key Vault subscription. By using the Azure Backup service, you can back up and restore encrypted virtual machines (VMs) that use Key Encryption Key (KEK) configuration.
When you use client-side encryption with Key Vault, your data is encrypted using a one-time symmetric Content Encryption Key (CEK) that is generated by the Azure Storage client SDK. The CEK is encrypted using a Key Encryption Key (KEK), which can be either a symmetric key or an asymmetric key pair. You can manage it locally or store it in Key Vault. The encrypted data is then uploaded to Azure Storage.
When Server-side encryption with service-managed keys is used, the key creation, storage, and service access are all managed by the service. Typically, the foundational Azure resource providers will store the Data Encryption Keys in a store that is close to the data and quickly available and accessible while the Key Encryption Keys are stored in a secure internal store.
Advantages: Simple setup
Microsoft manages key rotation, backup, and redundancy
Customer does not have the cost associated with implementation or the risk of a custom key management scheme.
For more information: Refer to this article
Hope this helps!
Kindly let us know if the above helps or you need further assistance on this issue.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.