Article number
Affected Versions
Source Hypervisor
Target Hypervisor

How to Disable AWS EBS Encryption on Zerto 7.0+

Viewed 552 times


Starting in Zerto 7.0, AWS EBS encryption is now on by default. If a user would like to disable this encryption for their VMs recovered specifically to AWS running on EBS they will need to apply a tweak to the recovery AWS ZCA to disable the encryption. 

  1. The default encryption only occurs when the volumes are initially created in AWS on Fail Over Test, Fail Over Live, Move, or Offsite Clone as this is when AWS requires encryption for a volume be specified. AWS does not allow an already existing EBS volume to be encrypted.
  2. Import Method:
    • zImport all volumes: OS + additional volumes are encrypted
    • zImport data volumes: Additional volumes are encrypted
    • AWS Import: No volumes encrypted
  3. EBS volumes must be GP2 or IO1
  4. The AWS region must support EBS encryption
  5. AWS Key Management Service (KMS) is used for the encryption keys
  6. Encryption at rest for replication requires a separate S3 encryption tweak
    1. The tweaks for supporting encryption at rest do not apply to the ZImporter/ZASA/ZSAT.  Forcing encryption on all objects uploading to S3 (Ex: through S3 encryption policies) will result in a failure to recover to AWS
  7. Tweak is site level, not applicable on a per VPG basis
  8. ONLY supported when recovering to AWS
  1. Both ZVM and ZCA installed with ZVR 7.0 or higher
  2. ZVM and ZCA paired


To apply the tweak, kindly contact Zerto Support.