New-AzStorageEncryptionScope

Reference

Module:: Az.Storage

Creates an encryption scope for a Storage account.

Note

This is the previous version of our documentation. Please consult the most recent version for up-to-date information.

Syntax

New-AzStorageEncryptionScope
   [-ResourceGroupName] <String>
   [-StorageAccountName] <String>
   -EncryptionScopeName <String>
   [-StorageEncryption]
   [-RequireInfrastructureEncryption]
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

New-AzStorageEncryptionScope
   [-ResourceGroupName] <String>
   [-StorageAccountName] <String>
   -EncryptionScopeName <String>
   [-KeyvaultEncryption]
   -KeyUri <String>
   [-RequireInfrastructureEncryption]
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

New-AzStorageEncryptionScope
   -StorageAccount <PSStorageAccount>
   -EncryptionScopeName <String>
   [-StorageEncryption]
   [-RequireInfrastructureEncryption]
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

New-AzStorageEncryptionScope
   -StorageAccount <PSStorageAccount>
   -EncryptionScopeName <String>
   [-KeyvaultEncryption]
   -KeyUri <String>
   [-RequireInfrastructureEncryption]
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

The New-AzStorageEncryptionScope cmdlet creates an encryption scope for a Storage account.

Examples

Example 1: Create an encryption scope with Storage Encryption

PS C:\> New-AzStorageEncryptionScope -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount"  -EncryptionScopeName testscope -StorageEncryption

   ResourceGroupName: myresourcegroup, StorageAccountName: mystorageaccount

Name      State    Source            KeyVaultKeyUri RequireInfrastructureEncryption                                         
----      -----    ------            -------------- -------------------------------                                         
testscope Enabled  Microsoft.Storage

This command creates an encryption scope with Storage Encryption.

Example 2: Create an encryption scope with Keyvault Encryption, and RequireInfrastructureEncryption

PS C:\> New-AzStorageEncryptionScope -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" `
	-EncryptionScopeName testscope -KeyvaultEncryption -KeyUri "https://keyvalutname.vault.azure.net:443/keys/keyname/34a0ba563b4243d9a0ef2b1d3c0c7d57" `
	-RequireInfrastructureEncryption 

   ResourceGroupName: myresourcegroup, StorageAccountName: mystorageaccount

Name         State   Source           KeyVaultKeyUri                                                                          RequireInfrastructureEncryption                                       
----         -----   ------             --------------                                                                        -------------------------------                                     
testscope Enabled  Microsoft.Keyvault https://keyvalutname.vault.azure.net:443/keys/keyname/34a0ba563b4243d9a0ef2b1d3c0c7d57  True

This command creates an encryption scope with Keyvault Encryption and RequireInfrastructureEncryption. The Storage account Identity need have get,wrapkey,unwrapkey permissions to the keyvault key.

Parameters

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:	SwitchParameter
Aliases:	cf
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with Azure.

Type:	IAzureContextContainer
Aliases:	AzContext, AzureRmContext, AzureCredential
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

-EncryptionScopeName

Azure Storage EncryptionScope name

Type:	String
Aliases:	Name
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

-KeyUri

The key Uri

Type:	String
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

-KeyvaultEncryption

Create encryption scope with keySource as Microsoft.Keyvault

Type:	SwitchParameter
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

-RequireInfrastructureEncryption

The encryption scope will apply a secondary layer of encryption with platform managed keys for data at rest.

Type:	SwitchParameter
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

-ResourceGroupName

Resource Group Name.

Type:	String
Position:	0
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

-StorageAccount

Storage account object

Type:	PSStorageAccount
Position:	Named
Default value:	None
Accept pipeline input:	True
Accept wildcard characters:	False

-StorageAccountName

Storage Account Name.

Type:	String
Aliases:	AccountName
Position:	1
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

-StorageEncryption

Create encryption scope with keySource as Microsoft.Storage.

Type:	SwitchParameter
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:	SwitchParameter
Aliases:	wi
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

Inputs

PSStorageAccount

Outputs

PSEncryptionScope