az vm encryption

Manage encryption of VM disks.

For more information, see: https://docs.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss.

Commands

Name Description Type Status
az vm encryption disable

Disable disk encryption on the OS disk and/or data disks. Decrypt mounted disks.

Core GA
az vm encryption enable

Enable disk encryption on the OS disk and/or data disks. Encrypt mounted disks.

Core GA
az vm encryption show

Show encryption status.

Core GA

az vm encryption disable

Disable disk encryption on the OS disk and/or data disks. Decrypt mounted disks.

For Linux VMs, disabling encryption is only permitted on data volumes. For Windows VMs, disabling encryption is permitted on both OS and data volumes.

az vm encryption disable [--force]
                         [--ids]
                         [--name]
                         [--resource-group]
                         [--subscription]
                         [--volume-type {ALL, DATA, OS}]

Examples

Disable disk encryption on the OS disk and/or data disks. (autogenerated)

az vm encryption disable --name MyVirtualMachine --resource-group MyResourceGroup --volume-type DATA

Optional Parameters

--force

Continue by ignoring client side validation errors.

default value: False
--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

The name of the Virtual Machine. You can configure the default using az configure --defaults vm=<name>.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--volume-type

Type of volume that the encryption operation is performed on.

accepted values: ALL, DATA, OS
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az vm encryption enable

Enable disk encryption on the OS disk and/or data disks. Encrypt mounted disks.

Note that Azure Active Directory / service principal arguments are unnecessary for vm encryption. The older version of Azure Disk Encryption required AAD arguments. For more information, see: https://docs.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss.

az vm encryption enable --disk-encryption-keyvault
                        [--aad-client-cert-thumbprint]
                        [--aad-client-id]
                        [--aad-client-secret]
                        [--encrypt-format-all]
                        [--force]
                        [--ids]
                        [--key-encryption-algorithm]
                        [--key-encryption-key]
                        [--key-encryption-keyvault]
                        [--name]
                        [--resource-group]
                        [--subscription]
                        [--volume-type {ALL, DATA, OS}]

Examples

encrypt a VM using a key vault in the same resource group

az vm encryption enable -g MyResourceGroup -n MyVm --disk-encryption-keyvault MyVault

Enable disk encryption on the OS disk and/or data disks. Encrypt mounted disks. (autogenerated)

az vm encryption enable --disk-encryption-keyvault MyVault --name MyVm --resource-group MyResourceGroup --volume-type DATA

Required Parameters

--disk-encryption-keyvault

Name or ID of the key vault where the generated encryption key will be placed.

Optional Parameters

--aad-client-cert-thumbprint

Thumbprint of the AAD app certificate with permissions to write secrets to the key vault.

--aad-client-id

Client ID of an AAD app with permissions to write secrets to the key vault.

--aad-client-secret

Client secret of the AAD app with permissions to write secrets to the key vault.

--encrypt-format-all

Encrypts-formats data disks instead of encrypting them. Encrypt-formatting is a lot faster than in-place encryption but wipes out the partition getting encrypt-formatted. (Only supported for Linux virtual machines.).

default value: False
--force

Continue by ignoring client side validation errors.

default value: False
--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--key-encryption-algorithm
default value: RSA-OAEP
--key-encryption-key

Key vault key name or URL used to encrypt the disk encryption key.

--key-encryption-keyvault

Name or ID of the key vault containing the key encryption key used to encrypt the disk encryption key. If missing, CLI will use --disk-encryption-keyvault.

--name -n

The name of the Virtual Machine. You can configure the default using az configure --defaults vm=<name>.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--volume-type

Type of volume that the encryption operation is performed on.

accepted values: ALL, DATA, OS
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az vm encryption show

Show encryption status.

az vm encryption show [--ids]
                      [--name]
                      [--resource-group]
                      [--subscription]

Examples

Show encryption status. (autogenerated)

az vm encryption show --name MyVirtualMachine --resource-group MyResourceGroup

Optional Parameters

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

The name of the Virtual Machine. You can configure the default using az configure --defaults vm=<name>.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.