Share via


az vmss encryption

Manage encryption of VMSS.

For more information, see: ttps://docs.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss.

Commands

Name Description Type Status
az vmss encryption disable

Disable the encryption on a VMSS with managed disks.

Core GA
az vmss encryption enable

Encrypt a VMSS with managed disks.

Core GA
az vmss encryption show

Show encryption status.

Core GA

az vmss encryption disable

Disable the encryption on a VMSS with managed disks.

az vmss encryption disable [--force]
                           [--ids]
                           [--name]
                           [--resource-group]
                           [--subscription]
                           [--volume-type {ALL, DATA, OS}]

Examples

disable encryption a VMSS

az vmss encryption disable -g MyResourceGroup -n MyVm

Optional Parameters

--force

Continue by ignoring client side validation errors.

Default value: False
--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

Scale set name. You can configure the default using az configure --defaults vmss=<name>.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--volume-type

Type of volume that the encryption operation is performed on.

Accepted values: ALL, DATA, OS
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az vmss encryption enable

Encrypt a VMSS with managed disks.

For more information, see: For more information, see: ttps://docs.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss.

az vmss encryption enable --disk-encryption-keyvault
                          [--force]
                          [--ids]
                          [--key-encryption-algorithm]
                          [--key-encryption-key]
                          [--key-encryption-keyvault]
                          [--name]
                          [--resource-group]
                          [--subscription]
                          [--volume-type {ALL, DATA, OS}]

Examples

encrypt a VM scale set using a key vault in the same resource group

az vmss encryption enable -g MyResourceGroup -n MyVmss --disk-encryption-keyvault MyVault

Encrypt a VMSS with managed disks. (autogenerated)

az vmss encryption enable --disk-encryption-keyvault MyVault --name MyVmss --resource-group MyResourceGroup --volume-type DATA

Required Parameters

--disk-encryption-keyvault

Name or ID of the key vault where the generated encryption key will be placed.

Optional Parameters

--force

Continue by ignoring client side validation errors.

Default value: False
--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--key-encryption-algorithm
Default value: RSA-OAEP
--key-encryption-key

Key vault key name or URL used to encrypt the disk encryption key.

--key-encryption-keyvault

Name or ID of the key vault containing the key encryption key used to encrypt the disk encryption key. If missing, CLI will use --disk-encryption-keyvault.

--name -n

Scale set name. You can configure the default using az configure --defaults vmss=<name>.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--volume-type

Type of volume that the encryption operation is performed on.

Accepted values: ALL, DATA, OS
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az vmss encryption show

Show encryption status.

az vmss encryption show [--ids]
                        [--name]
                        [--resource-group]
                        [--subscription]

Examples

Show encryption status. (autogenerated)

az vmss encryption show --name MyScaleSet --resource-group MyResourceGroup

Optional Parameters

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

Scale set name. You can configure the default using az configure --defaults vmss=<name>.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.