Article number
000004227
Affected Versions
All
Source Hypervisor
AWS
Target Hypervisor
AWS

ZVR for AWS S3 Encryption

Viewed 283 times

Summary

Requirements:
  1. The AWS region must support S3 encryption, specifically KMS.
  2. AWS Key Management Service (KMS) is used for the encryption keys.
  3. Using the steps below, S3 encryption is only supported when data is at rest in the S3 bucket the ZCA is using.
  4. Encryption for EBS Volumes requires a separate change. Follow the instructions in "ZVR 6.5 AWS EBS Encryption" (KB 1553).
  5. S3 encryption for ZVR is set at the site level, and cannot be set on a per VPG basis.
  6. If a VPG was created before this change was applied then the objects stored in S3 for this VPG is not encrypted. It must be deleted and recreated in order for these S3 objects to be encrypted.
  7. This can only be used on a ZCA running on AWS. It cannot be used on any other site or platform other than AWS.

Steps

Follow the "How to edit the ZVM custom settings file: tweaks.txt" (KB 1436) and apply the following tweaks on the AWS recovery ZCA:
t_VraAwsEnableServerSideEncryption=1
t_zvmAwsEnableServerSideEncryption="true"

This will enable S3 encryption for any new objects created in the ZCA S3 bucket.

Remove the tweaks following the steps in the KB above to disable this setting.