How To Enable S3 Encryption For ZASA And ZSAT Instances In AWS
Viewed 438 times
Note: The peer site version can be lower than 7.0U1 and would not prevent the AWS S3 encryption from running correctly.
Note: This change is applied at the site level, and applies to all VPGs. It cannot be applied per VPG.
Encrypting replicated data at rest in the S3 bucket used by Zerto is a separate topic and is reviewed in ZVR for AWS S3 Encryption.
Starting at 8.5, the default ZCA settings allows for encryption by default.
1. Stop the ZVM and VRA services on the ZCA.
2. Apply relevant ZCA tweaks
3. Zerto automates the configuration of the S3 bucket once the tweaks are used. However, if there is a need to manually configure the S3 bucket after tweaks are configured you can follow the below. Do note, following the below without the tweaks is not supported as encrypting the bucket outside of Zerto will result in IO failures to the S3 bucket as Zerto is unaware of the encrypted status of the S3 bucket. (Skip to Step 4 otherwise)
- Go to the S3 bucket created by the ZCA. The bucket name can be found by logging into the ZCA GUI, opening Site Settings -> Site Information, and then looking at the value of "Bucket Name":
- Go to the Properties of the S3 bucket and select the Default encryption tile as seen below
- Choose AES-256 encryption in the next window as seen below
4. Terminate ZASA instance from EC2 dashboard and verify it is terminated.
5. Terminate ZSAT instances from EC2 dashboard and verify all instances are terminated.
6. Start the ZVM and VRA services on the ZCA.