Disk Encryption Sets - Create Or Update
Creates or updates a disk encryption set
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{diskEncryptionSetName}?api-version=2025-01-02URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
disk
|
path | True |
string |
The name of the disk encryption set that is being created. The name can't be changed after the disk encryption set is created. Supported characters for the name are a-z, A-Z, 0-9, _ and -. The maximum name length is 80 characters. |
|
resource
|
path | True |
string minLength: 1maxLength: 90 |
The name of the resource group. The name is case insensitive. |
|
subscription
|
path | True |
string minLength: 1 |
The ID of the target subscription. |
|
api-version
|
query | True |
string minLength: 1 |
The API version to use for this operation. |
Request Body
| Name | Required | Type | Description |
|---|---|---|---|
| location | True |
string |
The geo-location where the resource lives |
| identity |
The managed identity for the disk encryption set. It should be given permission on the key vault before it can be used to encrypt disks. |
||
| properties.activeKey |
The key vault key which is currently used by this disk encryption set. |
||
| properties.encryptionType |
The type of key used to encrypt the data of the disk. |
||
| properties.federatedClientId |
string |
Multi-tenant application client id to access key vault in a different tenant. Setting the value to 'None' will clear the property. |
|
| properties.rotationToLatestKeyVersionEnabled |
boolean |
Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. |
|
| tags |
object |
Resource tags. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
Resource 'DiskEncryptionSet' update operation succeeded |
|
| 202 Accepted |
The request has been accepted for processing, but processing has not yet completed. Headers
|
|
| Other Status Codes |
An unexpected error response. |
Security
azure_auth
Azure Active Directory OAuth2 Flow.
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| user_impersonation | impersonate your user account |
Examples
| create a disk encryption set with key vault from a different subscription. |
| create a disk encryption set with key vault from a different tenant. |
| create a disk encryption set. |
create a disk encryption set with key vault from a different subscription.
Sample request
PUT https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSets/myDiskEncryptionSet?api-version=2025-01-02
{
"location": "West US",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"activeKey": {
"keyUrl": "https://myvaultdifferentsub.vault-int.azure-int.net/keys/{key}"
},
"encryptionType": "EncryptionAtRestWithCustomerKey"
}
}
Sample response
{
"id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSets/myDiskEncryptionSet",
"name": "myDiskEncryptionSet",
"location": "West US",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"activeKey": {
"keyUrl": "https://myvaultdifferentsub.vault-int.azure-int.net/keys/{key}"
},
"encryptionType": "EncryptionAtRestWithCustomerKey",
"previousKeys": []
}
}{
"id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSets/myDiskEncryptionSet",
"name": "myDiskEncryptionSet",
"location": "West US",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"activeKey": {
"keyUrl": "https://myvaultdifferentsub.vault-int.azure-int.net/keys/{key}"
},
"encryptionType": "EncryptionAtRestWithCustomerKey",
"previousKeys": []
}
}create a disk encryption set with key vault from a different tenant.
Sample request
PUT https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSets/myDiskEncryptionSet?api-version=2025-01-02
{
"location": "West US",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}": {}
}
},
"properties": {
"activeKey": {
"keyUrl": "https://myvaultdifferenttenant.vault-int.azure-int.net/keys/{key}"
},
"encryptionType": "EncryptionAtRestWithCustomerKey",
"federatedClientId": "00000000-0000-0000-0000-000000000000"
}
}
Sample response
{
"id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSets/myDiskEncryptionSet",
"name": "myDiskEncryptionSet",
"location": "West US",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}": {}
}
},
"properties": {
"activeKey": {
"keyUrl": "https://myvaultdifferenttenant.vault-int.azure-int.net/keys/{key}"
},
"encryptionType": "EncryptionAtRestWithCustomerKey",
"federatedClientId": "00000000-0000-0000-0000-000000000000",
"previousKeys": []
}
}{
"id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSets/myDiskEncryptionSet",
"name": "myDiskEncryptionSet",
"location": "West US",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}": {}
}
},
"properties": {
"activeKey": {
"keyUrl": "https://myvaultdifferenttenant.vault-int.azure-int.net/keys/{key}"
},
"encryptionType": "EncryptionAtRestWithCustomerKey",
"federatedClientId": "00000000-0000-0000-0000-000000000000",
"previousKeys": []
}
}create a disk encryption set.
Sample request
PUT https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSets/myDiskEncryptionSet?api-version=2025-01-02
{
"location": "West US",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"activeKey": {
"sourceVault": {
"id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myVMVault"
},
"keyUrl": "https://myvmvault.vault-int.azure-int.net/keys/{key}"
},
"encryptionType": "EncryptionAtRestWithCustomerKey"
}
}
Sample response
{
"id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSets/myDiskEncryptionSet",
"name": "myDiskEncryptionSet",
"location": "West US",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"activeKey": {
"sourceVault": {
"id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myVMVault"
},
"keyUrl": "https://myvmvault.vault-int.azure-int.net/keys/{key}"
},
"encryptionType": "EncryptionAtRestWithCustomerKey",
"previousKeys": []
}
}{
"id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSets/myDiskEncryptionSet",
"name": "myDiskEncryptionSet",
"location": "West US",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"activeKey": {
"sourceVault": {
"id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myVMVault"
},
"keyUrl": "https://myvmvault.vault-int.azure-int.net/keys/{key}"
},
"encryptionType": "EncryptionAtRestWithCustomerKey",
"previousKeys": []
}
}Definitions
| Name | Description |
|---|---|
|
Api |
Api error. |
|
Api |
Api error base. |
|
Cloud |
An error response from the Compute service. |
|
Common. |
|
|
created |
The type of identity that created the resource. |
|
Disk |
disk encryption set resource. |
|
Disk |
The type of Managed Identity used by the DiskEncryptionSet. Only SystemAssigned is supported for new creations. Disk Encryption Sets can be updated with Identity type None during migration of subscription to a new Azure Active Directory tenant; it will cause the encrypted resources to lose access to the keys. |
|
Disk |
The type of key used to encrypt the data of the disk. |
|
Encryption |
The managed identity for the disk encryption set. It should be given permission on the key vault before it can be used to encrypt disks. |
|
Inner |
Inner error details. |
|
Key |
Key Vault Key Url to be used for server side encryption of Managed Disks and Snapshots |
|
Source |
The vault id is an Azure Resource Manager Resource id in the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName} |
|
system |
Metadata pertaining to creation and last modification of the resource. |
ApiError
Api error.
| Name | Type | Description |
|---|---|---|
| code |
string |
The error code. |
| details |
The Api error details |
|
| innererror |
The Api inner error |
|
| message |
string |
The error message. |
| target |
string |
The target of the particular error. |
ApiErrorBase
Api error base.
| Name | Type | Description |
|---|---|---|
| code |
string |
The error code. |
| message |
string |
The error message. |
| target |
string |
The target of the particular error. |
CloudError
An error response from the Compute service.
| Name | Type | Description |
|---|---|---|
| error |
Api error. |
Common.UserAssignedIdentitiesValue
| Name | Type | Description |
|---|---|---|
| clientId |
string |
The client id of user assigned identity. |
| principalId |
string |
The principal id of user assigned identity. |
createdByType
The type of identity that created the resource.
| Value | Description |
|---|---|
| User | |
| Application | |
| ManagedIdentity | |
| Key |
DiskEncryptionSet
disk encryption set resource.
| Name | Type | Description |
|---|---|---|
| id |
string |
Fully qualified resource ID for the resource. Ex - /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName} |
| identity |
The managed identity for the disk encryption set. It should be given permission on the key vault before it can be used to encrypt disks. |
|
| location |
string |
The geo-location where the resource lives |
| name |
string |
The name of the resource |
| properties.activeKey |
The key vault key which is currently used by this disk encryption set. |
|
| properties.autoKeyRotationError |
The error that was encountered during auto-key rotation. If an error is present, then auto-key rotation will not be attempted until the error on this disk encryption set is fixed. |
|
| properties.encryptionType |
The type of key used to encrypt the data of the disk. |
|
| properties.federatedClientId |
string |
Multi-tenant application client id to access key vault in a different tenant. Setting the value to 'None' will clear the property. |
| properties.lastKeyRotationTimestamp |
string (date-time) |
The time when the active key of this disk encryption set was updated. |
| properties.previousKeys |
A readonly collection of key vault keys previously used by this disk encryption set while a key rotation is in progress. It will be empty if there is no ongoing key rotation. |
|
| properties.provisioningState |
string |
The disk encryption set provisioning state. |
| properties.rotationToLatestKeyVersionEnabled |
boolean |
Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| tags |
object |
Resource tags. |
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
DiskEncryptionSetIdentityType
The type of Managed Identity used by the DiskEncryptionSet. Only SystemAssigned is supported for new creations. Disk Encryption Sets can be updated with Identity type None during migration of subscription to a new Azure Active Directory tenant; it will cause the encrypted resources to lose access to the keys.
| Value | Description |
|---|---|
| SystemAssigned | |
| UserAssigned | |
| SystemAssigned, UserAssigned | |
| None |
DiskEncryptionSetType
The type of key used to encrypt the data of the disk.
| Value | Description |
|---|---|
| EncryptionAtRestWithCustomerKey |
Resource using diskEncryptionSet would be encrypted at rest with Customer managed key that can be changed and revoked by a customer. |
| EncryptionAtRestWithPlatformAndCustomerKeys |
Resource using diskEncryptionSet would be encrypted at rest with two layers of encryption. One of the keys is Customer managed and the other key is Platform managed. |
| ConfidentialVmEncryptedWithCustomerKey |
Confidential VM supported disk and VM guest state would be encrypted with customer managed key. |
EncryptionSetIdentity
The managed identity for the disk encryption set. It should be given permission on the key vault before it can be used to encrypt disks.
| Name | Type | Description |
|---|---|---|
| principalId |
string |
The object id of the Managed Identity Resource. This will be sent to the RP from ARM via the x-ms-identity-principal-id header in the PUT request if the resource has a systemAssigned(implicit) identity |
| tenantId |
string |
The tenant id of the Managed Identity Resource. This will be sent to the RP from ARM via the x-ms-client-tenant-id header in the PUT request if the resource has a systemAssigned(implicit) identity |
| type |
The type of Managed Identity used by the DiskEncryptionSet. Only SystemAssigned is supported for new creations. Disk Encryption Sets can be updated with Identity type None during migration of subscription to a new Azure Active Directory tenant; it will cause the encrypted resources to lose access to the keys. |
|
| userAssignedIdentities |
<string,
Common. |
The list of user identities associated with the disk encryption set. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. |
InnerError
Inner error details.
| Name | Type | Description |
|---|---|---|
| errordetail |
string |
The internal error message or exception dump. |
| exceptiontype |
string |
The exception type. |
KeyForDiskEncryptionSet
Key Vault Key Url to be used for server side encryption of Managed Disks and Snapshots
| Name | Type | Description |
|---|---|---|
| keyUrl |
string |
Fully versioned Key Url pointing to a key in KeyVault. Version segment of the Url is required regardless of rotationToLatestKeyVersionEnabled value. |
| sourceVault |
Resource id of the KeyVault containing the key or secret. This property is optional and cannot be used if the KeyVault subscription is not the same as the Disk Encryption Set subscription. |
SourceVault
The vault id is an Azure Resource Manager Resource id in the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}
| Name | Type | Description |
|---|---|---|
| id |
string |
Resource Id |
systemData
Metadata pertaining to creation and last modification of the resource.
| Name | Type | Description |
|---|---|---|
| createdAt |
string (date-time) |
The timestamp of resource creation (UTC). |
| createdBy |
string |
The identity that created the resource. |
| createdByType |
The type of identity that created the resource. |
|
| lastModifiedAt |
string (date-time) |
The timestamp of resource last modification (UTC) |
| lastModifiedBy |
string |
The identity that last modified the resource. |
| lastModifiedByType |
The type of identity that last modified the resource. |