SMB encryption overview

02/20/2024 Contributors

SMB encryption for data transfers over SMB is a security enhancement that you can enable or disable on SMB servers. You can also configure the desired SMB encryption setting on a share-by-share basis through a share property setting.

By default, when you create an SMB server on the storage virtual machine (SVM), SMB encryption is disabled. You must enable it to take advantage of the enhanced security provided by SMB encryption.

To create an encrypted SMB session, the SMB client must support SMB encryption. Windows clients beginning with Windows Server 2012 and Windows 8 support SMB encryption.

SMB encryption on the SVM is controlled through two settings:

An SMB server security option that enables the functionality on the SVM
An SMB share property that configures the SMB encryption setting on a share-by-share basis

You can decide whether to require encryption for access to all data on the SVM or to require SMB encryption to access data only in selected shares. SVM-level settings supersede share-level settings.

The effective SMB encryption configuration depends on the combination of the two settings and is described in the following table:

SMB server SMB encryption enabled	Share encrypt data setting enabled	Server-side encryption behavior
True	False	Server-level encryption is enabled for all of the shares in the SVM. With this configuration, encryption happens for the entire SMB session.
True	True	Server-level encryption is enabled for all of the shares in the SVM irrespective of share-level encryption. With this configuration, encryption happens for the entire SMB session.
False	True	Share-level encryption is enabled for the specific shares. With this configuration, encryption happens from the tree connect.
False	False	No encryption is enabled.

SMB server SMB encryption enabled

Share encrypt data setting enabled

Server-side encryption behavior

True

False

Server-level encryption is enabled for all of the shares in the SVM. With this configuration, encryption happens for the entire SMB session.

True

Server-level encryption is enabled for all of the shares in the SVM irrespective of share-level encryption. With this configuration, encryption happens for the entire SMB session.

False

True

Share-level encryption is enabled for the specific shares. With this configuration, encryption happens from the tree connect.

False

No encryption is enabled.

SMB clients that do not support encryption cannot connect to an SMB server or share that requires encryption.

Changes to the encryption settings take effect for new connections. Existing connections are unaffected.

SMB encryption overview

Creating your file...