Share via


az storage account encryption-scope

Manage encryption scope for a storage account.

Commands

Name Description Type Status
az storage account encryption-scope create

Create an encryption scope within storage account.

Core GA
az storage account encryption-scope list

List encryption scopes within storage account.

Core GA
az storage account encryption-scope show

Show properties for specified encryption scope within storage account.

Core GA
az storage account encryption-scope update

Update properties for specified encryption scope within storage account.

Core GA

az storage account encryption-scope create

Create an encryption scope within storage account.

az storage account encryption-scope create --account-name
                                           --name
                                           [--key-source {Microsoft.KeyVault, Microsoft.Storage}]
                                           [--key-uri]
                                           [--require-infrastructure-encryption {false, true}]
                                           [--resource-group]

Examples

Create an encryption scope within storage account based on Microsoft.Storage key source.

az storage account encryption-scope create --name myencryption -s Microsoft.Storage --account-name mystorageaccount -g MyResourceGroup

Create an encryption scope within storage account based on Microsoft.KeyVault key source.

az storage account encryption-scope create --name myencryption -s Microsoft.KeyVault -u "https://vaultname.vault.azure.net/keys/keyname/1f7fa7edc99f4cdf82b5b5f32f2a50a7" --account-name mystorageaccount -g MyResourceGroup

Create an encryption scope within storage account. (autogenerated)

az storage account encryption-scope create --account-name mystorageaccount --key-source Microsoft.Storage --name myencryption --resource-group MyResourceGroup --subscription mysubscription

Required Parameters

--account-name

The storage account name.

--name -n

The name of the encryption scope within the specified storage account.

Optional Parameters

--key-source -s

The provider for the encryption scope.

Accepted values: Microsoft.KeyVault, Microsoft.Storage
Default value: Microsoft.Storage
--key-uri -u

The object identifier for a key vault key object. When applied, the encryption scope will use the key referenced by the identifier to enable customer-managed key support on this encryption scope.

--require-infrastructure-encryption -i

A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest.

Accepted values: false, true
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az storage account encryption-scope list

List encryption scopes within storage account.

az storage account encryption-scope list --account-name
                                         [--filter]
                                         [--include {All, Disabled, Enabled}]
                                         [--marker]
                                         [--maxpagesize]
                                         [--resource-group]

Examples

List encryption scopes within storage account.

az storage account encryption-scope list --account-name mystorageaccount -g MyResourceGroup

List encryption scopes starting with specific name.

az storage account encryption-scope list --account-name mystorageaccount -g myresourcegroup --filter 'startswith(name, value)'

Required Parameters

--account-name

The storage account name.

Optional Parameters

--filter

When specified, only encryption scope names starting with the filter will be listed.

--include

When specified, will list encryption scopes with the specific state.

Accepted values: All, Disabled, Enabled
--marker

A string value that identifies the portion of the list of containers to be returned with the next listing operation. The operation returns the NextMarker value within the response body if the listing operation did not return all containers remaining to be listed with the current page. If specified, this generator will begin returning results from the point where the previous generator stopped.

--maxpagesize

The maximum number of encryption scopes that will be included in the list response.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az storage account encryption-scope show

Show properties for specified encryption scope within storage account.

az storage account encryption-scope show --account-name
                                         --name
                                         [--resource-group]

Examples

Show properties for specified encryption scope within storage account.

az storage account encryption-scope show --name myencryption --account-name mystorageaccount -g MyResourceGroup

Required Parameters

--account-name

The storage account name.

--name -n

The name of the encryption scope within the specified storage account.

Optional Parameters

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az storage account encryption-scope update

Update properties for specified encryption scope within storage account.

az storage account encryption-scope update --account-name
                                           --name
                                           [--key-source {Microsoft.KeyVault, Microsoft.Storage}]
                                           [--key-uri]
                                           [--resource-group]
                                           [--state {Disabled, Enabled}]

Examples

Update an encryption scope key source to Microsoft.Storage.

az storage account encryption-scope update --name myencryption -s Microsoft.Storage --account-name mystorageaccount -g MyResourceGroup

Create an encryption scope within storage account based on Microsoft.KeyVault key source.

az storage account encryption-scope update --name myencryption -s Microsoft.KeyVault -u "https://vaultname.vault.azure.net/keys/keyname/1f7fa7edc99f4cdf82b5b5f32f2a50a7" --account-name mystorageaccount -g MyResourceGroup

Disable an encryption scope within storage account.

az storage account encryption-scope update --name myencryption --state Disabled --account-name mystorageaccount -g MyResourceGroup

Enable an encryption scope within storage account.

az storage account encryption-scope update --name myencryption --state Enabled --account-name mystorageaccount -g MyResourceGroup

Required Parameters

--account-name

The storage account name.

--name -n

The name of the encryption scope within the specified storage account.

Optional Parameters

--key-source -s

The provider for the encryption scope.

Accepted values: Microsoft.KeyVault, Microsoft.Storage
--key-uri -u

The object identifier for a key vault key object. When applied, the encryption scope will use the key referenced by the identifier to enable customer-managed key support on this encryption scope.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--state

Change the state the encryption scope. When disabled, all blob read/write operations using this encryption scope will fail.

Accepted values: Disabled, Enabled
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.