Share via


az storage account encryption-scope

Manage encryption scope for a storage account.

Commands

Name Description Type Status
az storage account encryption-scope create

Create an encryption scope within storage account.

Core GA
az storage account encryption-scope list

List encryption scopes within storage account.

Core GA
az storage account encryption-scope show

Show properties for specified encryption scope within storage account.

Core GA
az storage account encryption-scope update

Update properties for specified encryption scope within storage account.

Core GA

az storage account encryption-scope create

Create an encryption scope within storage account.

az storage account encryption-scope create --account-name
                                           --name
                                           [--key-source {Microsoft.KeyVault, Microsoft.Storage}]
                                           [--key-uri]
                                           [--require-infrastructure-encryption {false, true}]
                                           [--resource-group]

Examples

Create an encryption scope within storage account based on Microsoft.Storage key source.

az storage account encryption-scope create --name myencryption -s Microsoft.Storage --account-name mystorageaccount -g MyResourceGroup

Create an encryption scope within storage account based on Microsoft.KeyVault key source.

az storage account encryption-scope create --name myencryption -s Microsoft.KeyVault -u "https://vaultname.vault.azure.net/keys/keyname/1f7fa7edc99f4cdf82b5b5f32f2a50a7" --account-name mystorageaccount -g MyResourceGroup

Create an encryption scope within storage account. (autogenerated)

az storage account encryption-scope create --account-name mystorageaccount --key-source Microsoft.Storage --name myencryption --resource-group MyResourceGroup --subscription mysubscription

Required Parameters

--account-name

The storage account name.

--name -n

The name of the encryption scope within the specified storage account.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--key-source -s

The provider for the encryption scope.

Property Value
Default value: Microsoft.Storage
Accepted values: Microsoft.KeyVault, Microsoft.Storage
--key-uri -u

The object identifier for a key vault key object. When applied, the encryption scope will use the key referenced by the identifier to enable customer-managed key support on this encryption scope.

--require-infrastructure-encryption -i

A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest.

Property Value
Accepted values: false, true
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az storage account encryption-scope list

List encryption scopes within storage account.

az storage account encryption-scope list --account-name
                                         [--filter]
                                         [--include {All, Disabled, Enabled}]
                                         [--marker]
                                         [--maxpagesize]
                                         [--resource-group]

Examples

List encryption scopes within storage account.

az storage account encryption-scope list --account-name mystorageaccount -g MyResourceGroup

List encryption scopes starting with specific name.

az storage account encryption-scope list --account-name mystorageaccount -g myresourcegroup --filter 'startswith(name, value)'

Required Parameters

--account-name

The storage account name.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--filter

When specified, only encryption scope names starting with the filter will be listed.

--include

When specified, will list encryption scopes with the specific state.

Property Value
Accepted values: All, Disabled, Enabled
--marker

A string value that identifies the portion of the list of containers to be returned with the next listing operation. The operation returns the NextMarker value within the response body if the listing operation did not return all containers remaining to be listed with the current page. If specified, this generator will begin returning results from the point where the previous generator stopped.

--maxpagesize

The maximum number of encryption scopes that will be included in the list response.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az storage account encryption-scope show

Show properties for specified encryption scope within storage account.

az storage account encryption-scope show --account-name
                                         --name
                                         [--resource-group]

Examples

Show properties for specified encryption scope within storage account.

az storage account encryption-scope show --name myencryption --account-name mystorageaccount -g MyResourceGroup

Required Parameters

--account-name

The storage account name.

--name -n

The name of the encryption scope within the specified storage account.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az storage account encryption-scope update

Update properties for specified encryption scope within storage account.

az storage account encryption-scope update --account-name
                                           --name
                                           [--key-source {Microsoft.KeyVault, Microsoft.Storage}]
                                           [--key-uri]
                                           [--resource-group]
                                           [--state {Disabled, Enabled}]

Examples

Update an encryption scope key source to Microsoft.Storage.

az storage account encryption-scope update --name myencryption -s Microsoft.Storage --account-name mystorageaccount -g MyResourceGroup

Create an encryption scope within storage account based on Microsoft.KeyVault key source.

az storage account encryption-scope update --name myencryption -s Microsoft.KeyVault -u "https://vaultname.vault.azure.net/keys/keyname/1f7fa7edc99f4cdf82b5b5f32f2a50a7" --account-name mystorageaccount -g MyResourceGroup

Disable an encryption scope within storage account.

az storage account encryption-scope update --name myencryption --state Disabled --account-name mystorageaccount -g MyResourceGroup

Enable an encryption scope within storage account.

az storage account encryption-scope update --name myencryption --state Enabled --account-name mystorageaccount -g MyResourceGroup

Required Parameters

--account-name

The storage account name.

--name -n

The name of the encryption scope within the specified storage account.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--key-source -s

The provider for the encryption scope.

Property Value
Accepted values: Microsoft.KeyVault, Microsoft.Storage
--key-uri -u

The object identifier for a key vault key object. When applied, the encryption scope will use the key referenced by the identifier to enable customer-managed key support on this encryption scope.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--state

Change the state the encryption scope. When disabled, all blob read/write operations using this encryption scope will fail.

Property Value
Accepted values: Disabled, Enabled
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False