az vm encryption

Manage encryption of VM disks.

For more information, see: https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview".

Commands

az vm encryption disable Disable disk encryption on the OS disk and/or data disks. Decrypt mounted disks.
az vm encryption enable Enable disk encryption on the OS disk and/or data disks. Encrypt mounted disks.
az vm encryption show Show encryption status.

az vm encryption disable

Disable disk encryption on the OS disk and/or data disks. Decrypt mounted disks.

az vm encryption disable [--force]
[--ids]
[--name]
[--resource-group]
[--subscription]
[--volume-type {ALL, DATA, OS}]

Examples

Disable disk encryption on the OS disk and/or data disks. (autogenerated)

az vm encryption disable --name MyVirtualMachine --resource-group MyResourceGroup --volume-type DATA

Optional Parameters

--force

Continue by ignoring client side validation errors.

--ids

One or more resource IDs (space-delimited). If provided, no other 'Resource Id' arguments should be specified.

--name -n

The name of the Virtual Machine. You can configure the default using az configure --defaults vm=<name>.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--volume-type

Type of volume that the encryption operation is performed on.

accepted values: ALL, DATA, OS

az vm encryption enable

Enable disk encryption on the OS disk and/or data disks. Encrypt mounted disks.

az vm encryption enable --disk-encryption-keyvault
[--aad-client-cert-thumbprint]
[--aad-client-id]
[--aad-client-secret]
[--encrypt-format-all]
[--force]
[--ids]
[--key-encryption-algorithm]
[--key-encryption-key]
[--key-encryption-keyvault]
[--name]
[--resource-group]
[--subscription]
[--volume-type {ALL, DATA, OS}]

Examples

encrypt a VM using a key vault in the same resource group

az vm encryption enable -g MyResourceGroup -n MyVm --disk-encryption-keyvault MyVault

Enable disk encryption on the OS disk and/or data disks. Encrypt mounted disks. (autogenerated)

az vm encryption enable --disk-encryption-keyvault MyVault --name MyVm --resource-group MyResourceGroup --volume-type DATA

Required Parameters

--disk-encryption-keyvault

Name or ID of the key vault where the generated encryption key will be placed.

Optional Parameters

--aad-client-cert-thumbprint

Thumbprint of the AAD app certificate with permissions to write secrets to the key vault.

--aad-client-id

Client ID of an AAD app with permissions to write secrets to the key vault.

--aad-client-secret

Client secret of the AAD app with permissions to write secrets to the key vault.

--encrypt-format-all

Encrypts-formats data disks instead of encrypting them. Encrypt-formatting is a lot faster than in-place encryption but wipes out the partition getting encrypt-formatted.

--force

Continue by ignoring client side validation errors.

--ids

One or more resource IDs (space-delimited). If provided, no other 'Resource Id' arguments should be specified.

--key-encryption-algorithm
default value: RSA-OAEP
--key-encryption-key

Key vault key name or URL used to encrypt the disk encryption key.

--key-encryption-keyvault

Name or ID of the key vault containing the key encryption key used to encrypt the disk encryption key. If missing, CLI will use --disk-encryption-keyvault.

--name -n

The name of the Virtual Machine. You can configure the default using az configure --defaults vm=<name>.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--volume-type

Type of volume that the encryption operation is performed on.

accepted values: ALL, DATA, OS

az vm encryption show

Show encryption status.

az vm encryption show [--ids]
[--name]
[--resource-group]
[--subscription]

Examples

Show encryption status. (autogenerated)

az vm encryption show --name MyVirtualMachine --resource-group MyResourceGroup

Optional Parameters

--ids

One or more resource IDs (space-delimited). If provided, no other 'Resource Id' arguments should be specified.

--name -n

The name of the Virtual Machine. You can configure the default using az configure --defaults vm=<name>.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.