Share via

az vm encryption

Manage encryption of VM disks.

For more information, see: https://learn.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss.

Commands

Name Description Type Status
az vm encryption disable

Disable disk encryption on the OS disk and/or data disks. Decrypt mounted disks.

 Core GA
az vm encryption enable

Enable disk encryption on the OS disk and/or data disks. Encrypt mounted disks.

 Core GA
az vm encryption show

Show encryption status.

 Core GA

az vm encryption disable

Edit

Disable disk encryption on the OS disk and/or data disks. Decrypt mounted disks.

For Linux VMs, disabling encryption is only permitted on data volumes. For Windows VMs, disabling encryption is permitted on both OS and data volumes.

az vm encryption disable [--force]
                         [--ids]
                         [--name]
                         [--resource-group]
                         [--subscription]
                         [--volume-type {ALL, DATA, OS}]

Examples

Disable disk encryption on the OS disk and/or data disks. (autogenerated)

az vm encryption disable --name MyVirtualMachine --resource-group MyResourceGroup --volume-type DATA

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--force

Continue by ignoring client side validation errors.

Property Value
Default value: False
--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

Property Value
Parameter group: Resource Id Arguments
--name -n

The name of the Virtual Machine. You can configure the default using az configure --defaults vm=<name>.

Property Value
Parameter group: Resource Id Arguments
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Property Value
Parameter group: Resource Id Arguments
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Property Value
Parameter group: Resource Id Arguments
--volume-type

Type of volume that the encryption operation is performed on.

Property Value
Accepted values: ALL, DATA, OS
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az vm encryption enable

Edit

Enable disk encryption on the OS disk and/or data disks. Encrypt mounted disks.

Note that Azure Active Directory / service principal arguments are unnecessary for vm encryption. The older version of Azure Disk Encryption required AAD arguments. For more information, see: https://learn.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss.

az vm encryption enable --disk-encryption-keyvault
                        [--aad-client-cert-thumbprint]
                        [--aad-client-id]
                        [--aad-client-secret]
                        [--encrypt-format-all]
                        [--encryption-identity]
                        [--force]
                        [--ids]
                        [--key-encryption-algorithm]
                        [--key-encryption-key]
                        [--key-encryption-keyvault]
                        [--name]
                        [--resource-group]
                        [--subscription]
                        [--volume-type {ALL, DATA, OS}]

Examples

encrypt a VM using a key vault in the same resource group

az vm encryption enable -g MyResourceGroup -n MyVm --disk-encryption-keyvault MyVault

Enable disk encryption on the OS disk and/or data disks. Encrypt mounted disks. (autogenerated)

az vm encryption enable --disk-encryption-keyvault MyVault --name MyVm --resource-group MyResourceGroup --volume-type DATA

Add support for using managed identity to authenticate to customer's keyvault for ADE operation

az vm encryption enable --disk-encryption-keyvault MyVault --name MyVm --resource-group MyResourceGroup --encryption-identity EncryptionIdentity

Required Parameters

--disk-encryption-keyvault

Name or ID of the key vault where the generated encryption key will be placed.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--aad-client-cert-thumbprint

Thumbprint of the AAD app certificate with permissions to write secrets to the key vault.

Property Value
Parameter group: Azure Active Directory Arguments
--aad-client-id

Client ID of an AAD app with permissions to write secrets to the key vault.

Property Value
Parameter group: Azure Active Directory Arguments
--aad-client-secret

Client secret of the AAD app with permissions to write secrets to the key vault.

Property Value
Parameter group: Azure Active Directory Arguments
--encrypt-format-all

Encrypts-formats data disks instead of encrypting them. Encrypt-formatting is a lot faster than in-place encryption but wipes out the partition getting encrypt-formatted. (Only supported for Linux virtual machines.).

Property Value
Default value: False
--encryption-identity

Resource Id of the user managed identity which can be used for Azure disk encryption.

--force

Continue by ignoring client side validation errors.

Property Value
Default value: False
--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

Property Value
Parameter group: Resource Id Arguments
--key-encryption-algorithm
Property Value
Default value: RSA-OAEP
--key-encryption-key

Key vault key name or URL used to encrypt the disk encryption key.

--key-encryption-keyvault

Name or ID of the key vault containing the key encryption key used to encrypt the disk encryption key. If missing, CLI will use --disk-encryption-keyvault.

--name -n

The name of the Virtual Machine. You can configure the default using az configure --defaults vm=<name>.

Property Value
Parameter group: Resource Id Arguments
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Property Value
Parameter group: Resource Id Arguments
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Property Value
Parameter group: Resource Id Arguments
--volume-type

Type of volume that the encryption operation is performed on.

Property Value
Accepted values: ALL, DATA, OS
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az vm encryption show

Edit

Show encryption status.

az vm encryption show [--ids]
                      [--name]
                      [--resource-group]
                      [--subscription]

Examples

Show encryption status. (autogenerated)

az vm encryption show --name MyVirtualMachine --resource-group MyResourceGroup

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

Property Value
Parameter group: Resource Id Arguments
--name -n

The name of the Virtual Machine. You can configure the default using az configure --defaults vm=<name>.

Property Value
Parameter group: Resource Id Arguments
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Property Value
Parameter group: Resource Id Arguments
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Property Value
Parameter group: Resource Id Arguments
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False