Share via

az vmss encryption

Manage encryption of VMSS.

For more information, see: ttps://learn.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss.

Commands

Name Description Type Status
az vmss encryption disable

Disable the encryption on a VMSS with managed disks.

 Core GA
az vmss encryption enable

Encrypt a VMSS with managed disks.

 Core GA
az vmss encryption show

Show encryption status.

 Core GA

az vmss encryption disable

Edit

Disable the encryption on a VMSS with managed disks.

az vmss encryption disable [--force]
                           [--ids]
                           [--name]
                           [--resource-group]
                           [--subscription]
                           [--volume-type {ALL, DATA, OS}]

Examples

disable encryption a VMSS

az vmss encryption disable -g MyResourceGroup -n MyVm

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--force

Continue by ignoring client side validation errors.

Property Value
Default value: False
--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

Property Value
Parameter group: Resource Id Arguments
--name -n

Scale set name. You can configure the default using az configure --defaults vmss=<name>.

Property Value
Parameter group: Resource Id Arguments
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Property Value
Parameter group: Resource Id Arguments
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Property Value
Parameter group: Resource Id Arguments
--volume-type

Type of volume that the encryption operation is performed on.

Property Value
Accepted values: ALL, DATA, OS
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az vmss encryption enable

Edit

Encrypt a VMSS with managed disks.

For more information, see: For more information, see: ttps://learn.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss.

az vmss encryption enable --disk-encryption-keyvault
                          [--encryption-identity]
                          [--force]
                          [--ids]
                          [--key-encryption-algorithm]
                          [--key-encryption-key]
                          [--key-encryption-keyvault]
                          [--name]
                          [--resource-group]
                          [--subscription]
                          [--volume-type {ALL, DATA, OS}]

Examples

encrypt a VM scale set using a key vault in the same resource group

az vmss encryption enable -g MyResourceGroup -n MyVmss --disk-encryption-keyvault MyVault

Add support for using managed identity to authenticate to customer's keyvault for ADE operation

az vmss encryption enable --disk-encryption-keyvault MyVault --name MyVm --resource-group MyResourceGroup --encryption-identity EncryptionIdentity

Encrypt a VMSS with managed disks. (autogenerated)

az vmss encryption enable --disk-encryption-keyvault MyVault --name MyVmss --resource-group MyResourceGroup --volume-type DATA

Required Parameters

--disk-encryption-keyvault

Name or ID of the key vault where the generated encryption key will be placed.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--encryption-identity

Resource Id of the user managed identity which can be used for Azure disk encryption.

--force

Continue by ignoring client side validation errors.

Property Value
Default value: False
--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

Property Value
Parameter group: Resource Id Arguments
--key-encryption-algorithm
Property Value
Default value: RSA-OAEP
--key-encryption-key

Key vault key name or URL used to encrypt the disk encryption key.

--key-encryption-keyvault

Name or ID of the key vault containing the key encryption key used to encrypt the disk encryption key. If missing, CLI will use --disk-encryption-keyvault.

--name -n

Scale set name. You can configure the default using az configure --defaults vmss=<name>.

Property Value
Parameter group: Resource Id Arguments
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Property Value
Parameter group: Resource Id Arguments
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Property Value
Parameter group: Resource Id Arguments
--volume-type

Type of volume that the encryption operation is performed on.

Property Value
Accepted values: ALL, DATA, OS
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az vmss encryption show

Edit

Show encryption status.

az vmss encryption show [--ids]
                        [--name]
                        [--resource-group]
                        [--subscription]

Examples

Show encryption status. (autogenerated)

az vmss encryption show --name MyScaleSet --resource-group MyResourceGroup

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

Property Value
Parameter group: Resource Id Arguments
--name -n

Scale set name. You can configure the default using az configure --defaults vmss=<name>.

Property Value
Parameter group: Resource Id Arguments
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Property Value
Parameter group: Resource Id Arguments
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Property Value
Parameter group: Resource Id Arguments
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False