Release notes
SMB encryption overview
Suggest changes
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
Collection of separate PDF docs
Creating your file...
SMB encryption for data transfers over SMB is a security enhancement that you can enable or disable on SMB servers. You can also configure the desired SMB encryption setting on a share-by-share basis through a share property setting.
By default, when you create an SMB server on the storage virtual machine (SVM), SMB encryption is disabled. You must enable it to take advantage of the enhanced security provided by SMB encryption.
To create an encrypted SMB session, the SMB client must support SMB encryption. Windows clients beginning with Windows Server 2012 and Windows 8 support SMB encryption.
SMB encryption on the SVM is controlled through two settings:
-
An SMB server security option that enables the functionality on the SVM
-
An SMB share property that configures the SMB encryption setting on a share-by-share basis
You can decide whether to require encryption for access to all data on the SVM or to require SMB encryption to access data only in selected shares. SVM-level settings supersede share-level settings.
The effective SMB encryption configuration depends on the combination of the two settings and is described in the following table:
| SMB server SMB encryption enabled | Share encrypt data setting enabled | Server-side encryption behavior |
|---|---|---|
True |
False |
Server-level encryption is enabled for all of the shares in the SVM. With this configuration, encryption happens for the entire SMB session. |
True |
True |
Server-level encryption is enabled for all of the shares in the SVM irrespective of share-level encryption. With this configuration, encryption happens for the entire SMB session. |
False |
True |
Share-level encryption is enabled for the specific shares. With this configuration, encryption happens from the tree connect. |
False |
False |
No encryption is enabled. |
SMB clients that do not support encryption cannot connect to an SMB server or share that requires encryption.
Changes to the encryption settings take effect for new connections. Existing connections are unaffected.