Skip to main content

Enable or disable AES encryption for Kerberos-based communication

Contributors netapp-forry netapp-ahibbard

To take advantage of the strongest security with Kerberos-based communication, you should use AES-256 and AES-128 encryption on the SMB server. Beginning with ONTAP 9.13.1, AES encryption is enabled by default. If you do not want the SMB server to select the AES encryption types for Kerberos-based communication with the Active Directory (AD) KDC, you can disable AES encryption.

Whether AES encryption is enabled by default and whether you have the option to specify encryption types depends on your ONTAP version.

ONTAP version AES encryption is enabled …​ You can specify encryption types?

9.13.1 and later

By default

Yes

9.12.1

Manually

Yes

9.11.1 and earlier

Manually

No

Beginning with ONTAP 9.12.1, AES encryption is enabled and disabled using the -advertised-enc-types option, which allows you to specify the encryption types advertised to the AD KDC. The default setting is rc4 and des, but when an AES type is specified, AES encryption is enabled. You can also use the option to explicitly disable the weaker RC4 and DES encryption types. In ONTAP 9.11.1 and earlier, you must use the -is-aes-encryption-enabled option to enable and disable AES encryption, and encryption types cannot be specified.

To enhance security, the storage virtual machine (SVM) changes its machine account password in the AD each time the AES security option is modified. Changing the password might require administrative AD credentials for the organizational unit (OU) that contains the machine account.

If an SVM is configured as a disaster recovery destination where the identity is not preserved (the -identity-preserve option is set to false in the SnapMirror configuration), the non-default SMB server security settings are not replicated to the destination. If you have enabled AES encryption on the source SVM, you must manually enable it.

Example 1. Steps
ONTAP 9.12.1 and later
  1. Perform one of the following actions:

    If you want the AES encryption types for Kerberos communication to be…​ Enter the command…​

    Enabled

    vserver cifs security modify -vserver vserver_name -advertised-enc-types aes-128,aes-256

    Disabled

    vserver cifs security modify -vserver vserver_name -advertised-enc-types des,rc4

    Note: The -is-aes-encryption-enabled option is deprecated in ONTAP 9.12.1 and might be removed in a later release.

  2. Verify that AES encryption is enabled or disabled as desired: vserver cifs security show -vserver vserver_name -fields advertised-enc-types

Examples

The following example enables the AES encryption types for the SMB server on SVM vs1:

cluster1::> vserver cifs security modify -vserver vs1 -advertised-enc-types aes-128,aes-256

cluster1::> vserver cifs security show -vserver vs1 -fields advertised-enc-types

vserver  advertised-enc-types
-------- --------------------
vs1      aes-128,aes-256

The following example enables the AES encryption types for the SMB server on SVM vs2. The administrator is prompted to enter the administrative AD credentials for the OU containing the SMB server.

cluster1::> vserver cifs security modify -vserver vs2 -advertised-enc-types aes-128,aes-256

Info: In order to enable SMB AES encryption, the password for the SMB server
machine account must be reset. Enter the username and password for the
SMB domain "EXAMPLE.COM".

Enter your user ID: administrator

Enter your password:

cluster1::> vserver cifs security show -vserver vs2 -fields advertised-enc-types

vserver  advertised-enc-types
-------- --------------------
vs2      aes-128,aes-256
ONTAP 9.11.1 and earlier
  1. Perform one of the following actions:

    If you want the AES encryption types for Kerberos communication to be…​ Enter the command…​

    Enabled

    vserver cifs security modify -vserver vserver_name -is-aes-encryption-enabled true

    Disabled

    vserver cifs security modify -vserver vserver_name -is-aes-encryption-enabled false

  2. Verify that AES encryption is enabled or disabled as desired: vserver cifs security show -vserver vserver_name -fields is-aes-encryption-enabled

    The is-aes-encryption-enabled field displays true if AES encryption is enabled and false if it is disabled.

Examples

The following example enables the AES encryption types for the SMB server on SVM vs1:

cluster1::> vserver cifs security modify -vserver vs1 -is-aes-encryption-enabled true

cluster1::> vserver cifs security show -vserver vs1 -fields is-aes-encryption-enabled

vserver  is-aes-encryption-enabled
-------- -------------------------
vs1      true

The following example enables the AES encryption types for the SMB server on SVM vs2. The administrator is prompted to enter the administrative AD credentials for the OU containing the SMB server.

cluster1::> vserver cifs security modify -vserver vs2 -is-aes-encryption-enabled true

Info: In order to enable SMB AES encryption, the password for the CIFS server
machine account must be reset. Enter the username and password for the
SMB domain "EXAMPLE.COM".

Enter your user ID: administrator

Enter your password:

cluster1::> vserver cifs security show -vserver vs2 -fields is-aes-encryption-enabled

vserver  is-aes-encryption-enabled
-------- -------------------------
vs2      true