Ability to secure base64-encoded Script

[vdcloud]

Since i am facing an issue with the fileUri approach for my VMSS custom script extension, i am exploring the alternative to use base64 encoded script i.e. {"script":""} in protected settings. I understand the transfer of the script to scale set VMs is encrypted in transit, which is great. However, one can still get to the plain text form at /var/lib/waagent/custom-script/download/#/script.sh. This makes it a no-go to use the base64-encoded script approach for anything that contains secrets.

1. It would really be useful if the script can be kept encrypted on disk as well, particularly since it may contain secrets.
2. If this is not feasible, I think a flag in the settings to be able to delete the custom script automatically after the execution will be useful.