Article number
Affected Versions
Source Hypervisor
Target Hypervisor

How to Enable AWS EBS Encryption for ZVR 6.5

Viewed 364 times


A user would like to enable encryption for their VM's recovered specifically to AWS running on EBS. As of ZVR 6.5 EBS encryption is supported, but requires a tweak to be set on the ZCA.

  1. The encryption only occurs when the volumes are initially created in AWS on Fail Over Test, Fail Over Live, Move, or Offsite Clone as this is when AWS requires encryption for a volume be specified. AWS does not allow an already existing EBS volume to be encrypted.
  2. Import Method:
    • zImport all volumes: OS + additional volumes are encrypted
    • zImport data volumes: Additional volumes are encrypted
    • AWS Import: No volumes encrypted
  3. EBS volumes must be GP2 or IO1
  4. The AWS region must support EBS encryption
  5. AWS Key Management Service (KMS) is used for the encryption keys
  6. Encryption at rest for replication requires a separate S3 encryption tweak
    1. The tweaks for supporting encryption at rest do not apply to the ZImporter/ZASA/ZSAT.  Forcing encryption on all objects uploading to S3 (Ex: through S3 encryption policies) will result in a failure to recover to AWS
  7. Tweak is site level, not applicable on a per VPG basis
  8. ONLY supported when recovering to AWS
  1. Both ZVM and ZCA installed with ZVR 6.5 or higher
  2. ZVM and ZCA paired


To implement the tweaks, kindly contact Zerto Support.

Upgrading to 7.0 or higher will automatically enable EBS encryption by default as well.