az vmss encryption

Manage encryption of VMSS.

For more information, see: https://docs.microsoft.com/azure/security/azure-security-disk-encryption-overview.

Commands

az vmss encryption disable Disable the encryption on a VMSS with managed disks.
az vmss encryption enable Encrypt a VMSS with managed disks.
az vmss encryption show Show encryption status.

az vmss encryption disable

Disable the encryption on a VMSS with managed disks.

az vmss encryption disable [--force]
[--ids]
[--name]
[--resource-group]
[--subscription]
[--volume-type {ALL, DATA, OS}]

Examples

disable encryption a VMSS

az vmss encryption disable -g MyResourceGroup -n MyVm

Optional Parameters

--force

Continue by ignoring client side validation errors.

--ids

One or more resource IDs (space-delimited). If provided, no other 'Resource Id' arguments should be specified.

--name -n

Scale set name. You can configure the default using az configure --defaults vmss=<name>.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--volume-type

Type of volume that the encryption operation is performed on.

accepted values: ALL, DATA, OS

az vmss encryption enable

Encrypt a VMSS with managed disks.

az vmss encryption enable --disk-encryption-keyvault
[--force]
[--ids]
[--key-encryption-algorithm]
[--key-encryption-key]
[--key-encryption-keyvault]
[--name]
[--resource-group]
[--subscription]
[--volume-type {ALL, DATA, OS}]

Examples

encrypt a VM scale set using a key vault in the same resource group

az vmss encryption enable -g MyResourceGroup -n MyVmss --disk-encryption-keyvault MyVault

Encrypt a VMSS with managed disks. (autogenerated)

az vmss encryption enable --disk-encryption-keyvault MyVault --name MyVmss --resource-group MyResourceGroup --volume-type DATA

Required Parameters

--disk-encryption-keyvault

Name or ID of the key vault where the generated encryption key will be placed.

Optional Parameters

--force

Continue by ignoring client side validation errors.

--ids

One or more resource IDs (space-delimited). If provided, no other 'Resource Id' arguments should be specified.

--key-encryption-algorithm
default value: RSA-OAEP
--key-encryption-key

Key vault key name or URL used to encrypt the disk encryption key.

--key-encryption-keyvault

Name or ID of the key vault containing the key encryption key used to encrypt the disk encryption key. If missing, CLI will use --disk-encryption-keyvault.

--name -n

Scale set name. You can configure the default using az configure --defaults vmss=<name>.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--volume-type

Type of volume that the encryption operation is performed on.

accepted values: ALL, DATA, OS

az vmss encryption show

Show encryption status.

az vmss encryption show [--ids]
[--name]
[--resource-group]
[--subscription]

Examples

Show encryption status. (autogenerated)

az vmss encryption show --name MyScaleSet --resource-group MyResourceGroup

Optional Parameters

--ids

One or more resource IDs (space-delimited). If provided, no other 'Resource Id' arguments should be specified.

--name -n

Scale set name. You can configure the default using az configure --defaults vmss=<name>.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.