Zerto 7.0 AWS EBS Encryption

KB Number:
000001590

Symptoms:
Starting in Zerto 7.0, AWS EBS encryption is now on by default. If a user would like to disable this encryption for their VMs recovered specifically to AWS running on EBS they will need to apply a tweak to the recovery AWS ZCA to disable the encryption. 

Note: 
   
  1. The default encryption only occurs when the volumes are initially created in AWS on Fail Over Test, Fail Over Live, Move, or Offsite Clone as this is when AWS requires encryption for a volume be specified. AWS does not allow an already existing EBS volume to be encrypted.
  2. Import Method:
    • zImport all volumes: OS + additional volumes are encrypted
    • zImport data volumes: Additional volumes are encrypted
    • AWS Import: No volumes encrypted
  3. EBS volumes must be GP2 or IO1
  4. The AWS region must support EBS encryption
  5. AWS Key Management Service (KMS) is used for the encryption keys
  6. Encryption at rest for replication requires a separate S3 encryption tweak
    1. The tweaks for supporting encryption at rest do not apply to the ZImporter/ZASA/ZSAT.  Forcing encryption on all objects uploading to S3 (Ex: through S3 encryption policies) will result in a failure to recover to AWS
  7. Tweak is site level, not applicable on a per VPG basis
  8. ONLY supported when recovering to AWS
Prerequisites:
  1. Both ZVM and ZCA installed with ZVR 7.0 or higher
  2. ZVM and ZCA paired

Solution:

To disable, before performing any fail over operations into AWS, follow the “How to edit the ZVM custom settings file: tweaks.txt” (KB 1436) and apply the following tweak on the AWS recovery ZCA:
t_awsEncryptedVolume = “false”

 
To re-enable the EBS encryption feature either remove the tweak or set the tweak to:
t_awsEncryptedVolume = “true”
 


Affected Versions:
7.0 and higher

Hypervisor:
AWS

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...