Article number
000004156

How To Enable S3 Encryption For ZASA And ZSAT Instances In AWS

Summary

Starting in Zerto 7.0 Update 1, AWS S3 encryption is supported for ZASA and ZSAT instances but is disabled by default. Enabling encryption for ZASA and ZSAT instances requires a change to a Zerto configuration file on each AWS ZCA instance. 

Note: The peer site version can be lower than 7.0U1 and would not prevent the AWS S3 encryption from running correctly.

Note: This change is applied at the site level, and applies to all VPGs. It cannot be applied per VPG.


Encrypting replicated data at rest in the S3 bucket used by Zerto is a separate topic and is reviewed in KB 1568 - ZVR for AWS S3 Encryption.

Symptoms

Starting in Zerto 7.0 Update 1, AWS S3 encryption is supported for ZASA and ZSAT instances but is disabled by default. Enabling encryption for ZASA and ZSAT instances requires a change to a Zerto configuration file on each AWS ZCA instance. 

Note: The peer site version can be lower than 7.0U1 and would not prevent the AWS S3 encryption from running correctly.

Note: This change is applied at the site level, and applies to all VPGs. It cannot be applied per VPG.


Encrypting replicated data at rest in the S3 bucket used by Zerto is a separate topic and is reviewed in KB 1568 - ZVR for AWS S3 Encryption.

Solution

1. Stop the ZVM and VRA services on the ZCA.
2. Add the tweaks to the ZCA tweaks.txt file as described in “How to edit the ZVM custom settings file: tweaks.txt” (KB 1436):
  • t_VraAwsEnableServerSideEncryption = 1
  • t_zvmAwsEnableServerSideEncryption = "true"
3.  Zerto automates the configuration of the S3 bucket once the tweaks are used. However, if there is a need to manually configure the S3 bucket after tweaks are configured you can follow the below. Do note, following the below without the tweaks is not supported as encrypting the bucket outside of Zerto will result in IO failures to the S3 bucket as Zerto is unaware of the encrypted status of the S3 bucket. (Skip to Step 4 otherwise)
  • Go to the S3 bucket created by the ZCA. The bucket name can be found by logging into the ZCA GUI, opening Site Settings -> Site Information, and then looking at the value of "Bucket Name":
User-added image
 
  • Go to the Properties of the S3 bucket and select the Default encryption tile as seen below
User-added image
  • Choose AES-256 encryption in the next window as seen below

User-added image
 

4. Terminate ZASA instance from EC2 dashboard and verify it is terminated.

5. Terminate ZSAT instances from EC2 dashboard and verify all instances are terminated.

6. Start the ZVM and VRA services on the ZCA.