az vm encryption

Manage encryption of VM disks.

For more information, see: https://docs.microsoft.com/azure/security/azure-security-disk-encryption-overview".

Commands

az vm encryption disable

Disable disk encryption on the OS disk and/or data disks. Decrypt mounted disks.

az vm encryption enable

Enable disk encryption on the OS disk and/or data disks. Encrypt mounted disks.

az vm encryption show

Show encryption status.

az vm encryption disable

Disable disk encryption on the OS disk and/or data disks. Decrypt mounted disks.

For Linux VMs, disabling encryption is only permitted on data volumes. For Windows VMS, disabling encryption is permitted on both OS and data volumes.

az vm encryption disable [--force]
                         [--ids]
                         [--name]
                         [--resource-group]
                         [--subscription]
                         [--volume-type {ALL, DATA, OS}]

Examples

Disable disk encryption on the OS disk and/or data disks. (autogenerated)

az vm encryption disable --name MyVirtualMachine --resource-group MyResourceGroup --volume-type DATA

Optional Parameters

--force

Continue by ignoring client side validation errors.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

The name of the Virtual Machine. You can configure the default using az configure --defaults vm=<name>.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--volume-type

Type of volume that the encryption operation is performed on.

accepted values: ALL, DATA, OS

az vm encryption enable

Enable disk encryption on the OS disk and/or data disks. Encrypt mounted disks.

Note that Azure Active Directory / service principal arguments are unnecessary for vm encryption. The older version of Azure Disk Encryption required AAD arguments. For more information, see: https://docs.microsoft.com/azure/security/azure-security-disk-encryption-overview.

az vm encryption enable --disk-encryption-keyvault
                        [--aad-client-cert-thumbprint]
                        [--aad-client-id]
                        [--aad-client-secret]
                        [--encrypt-format-all]
                        [--force]
                        [--ids]
                        [--key-encryption-algorithm]
                        [--key-encryption-key]
                        [--key-encryption-keyvault]
                        [--name]
                        [--resource-group]
                        [--subscription]
                        [--volume-type {ALL, DATA, OS}]

Examples

encrypt a VM using a key vault in the same resource group

az vm encryption enable -g MyResourceGroup -n MyVm --disk-encryption-keyvault MyVault

Enable disk encryption on the OS disk and/or data disks. Encrypt mounted disks. (autogenerated)

az vm encryption enable --disk-encryption-keyvault MyVault --name MyVm --resource-group MyResourceGroup --volume-type DATA

Required Parameters

--disk-encryption-keyvault

Name or ID of the key vault where the generated encryption key will be placed.

Optional Parameters

--aad-client-cert-thumbprint

Thumbprint of the AAD app certificate with permissions to write secrets to the key vault.

--aad-client-id

Client ID of an AAD app with permissions to write secrets to the key vault.

--aad-client-secret

Client secret of the AAD app with permissions to write secrets to the key vault.

--encrypt-format-all

Encrypts-formats data disks instead of encrypting them. Encrypt-formatting is a lot faster than in-place encryption but wipes out the partition getting encrypt-formatted.

--force

Continue by ignoring client side validation errors.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--key-encryption-algorithm
default value: RSA-OAEP
--key-encryption-key

Key vault key name or URL used to encrypt the disk encryption key.

--key-encryption-keyvault

Name or ID of the key vault containing the key encryption key used to encrypt the disk encryption key. If missing, CLI will use --disk-encryption-keyvault.

--name -n

The name of the Virtual Machine. You can configure the default using az configure --defaults vm=<name>.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--volume-type

Type of volume that the encryption operation is performed on.

accepted values: ALL, DATA, OS

az vm encryption show

Show encryption status.

az vm encryption show [--ids]
                      [--name]
                      [--query-examples]
                      [--resource-group]
                      [--subscription]

Examples

Show encryption status. (autogenerated)

az vm encryption show --name MyVirtualMachine --resource-group MyResourceGroup

Optional Parameters

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

The name of the Virtual Machine. You can configure the default using az configure --defaults vm=<name>.

--query-examples

Recommend JMESPath string for you. You can copy one of the query and paste it after --query parameter within double quotation marks to see the results. You can add one or more positional keywords so that we can give suggestions based on these key words.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.