Configure required SMB encryption on SMB servers for data transfers over SMB overview

Contributors

SMB encryption for data transfers over SMB is a security enhancement that you can enable or disable on SMB servers. You can also configure the desired SMB encryption setting on a share-by-share basis through a share property setting.

By default, when you create a SMB server on the storage virtual machine (SVM), SMB encryption is disabled. You must enable it to take advantage of the enhanced security provided by SMB encryption.

To create an encrypted SMB session, the SMB client must support SMB encryption. Windows clients starting with Windows Server 2012 and Windows 8 support SMB encryption.

SMB encryption on the SVM is controlled through two settings:

  • A SMB server security option that enables the functionality on the SVM

  • A SMB share property that configures the SMB encryption setting on a share-by-share basis

You can decide whether to require encryption for access to all data on the SVM or to require SMB encryption to access data only in selected shares. SVM-level settings supersede share-level settings.

The effective SMB encryption configuration depends on the combination of the two settings and is described in the following table:

SMB server SMB encryption enabled Share encrypt data setting enabled Server-side encryption behavior

True

False

Server-level encryption is enabled for all of the shares in the SVM. With this configuration, encryption happens for the entire SMB session.

True

True

Server-level encryption is enabled for all of the shares in the SVM irrespective of share-level encryption. With this configuration, encryption happens for the entire SMB session.

False

True

Share-level encryption is enabled for the specific shares. With this configuration, encryption happens from the tree connect.

False

False

No encryption is enabled.

SMB clients that do not support encryption cannot connect to a SMB server or share that requires encryption.