Skip to main content

Enable or disable required SMB encryption for incoming SMB traffic

Contributors netapp-ahibbard

If you want to require SMB encryption for incoming SMB traffic you can enable it on the CIFS server or at the share level. By default, SMB encryption is not required.

About this task

You can enable SMB encryption on the CIFS server, which applies to all shares on the CIFS server. If you do not want required SMB encryption for all shares on the CIFS server or if you want to enable required SMB encryption for incoming SMB traffic on a share-by-share basis, you can disable required SMB encryption on the CIFS server.

When you set up a storage virtual machine (SVM) disaster recovery relationship, the value you select for the -identity-preserve option of the snapmirror create command determines the configuration details that are replicated in the destination SVM.

If you set the -identity-preserve option to true (ID-preserve), the SMB encryption security setting is replicated to the destination.

If you set the -identity-preserve option to false (non-ID-preserve), the SMB encryption security setting is not replicated to the destination. In this case, the CIFS server security settings on the destination are set to the default values. If you have enabled SMB encryption on the source SVM, you must manually enable CIFS server SMB encryption on the destination.

Steps
  1. Perform one of the following actions:

    If you want required SMB encryption for incoming SMB traffic on the CIFS server to be…​ Enter the command…​

    Enabled

    vserver cifs security modify -vserver vserver_name -is-smb-encryption-required true

    Disabled

    vserver cifs security modify -vserver vserver_name -is-smb-encryption-required false

  2. Verify that required SMB encryption on the CIFS server is enabled or disabled as desired: vserver cifs security show -vserver vserver_name -fields is-smb-encryption-required

    The is-smb-encryption-required field displays true if required SMB encryption is enabled on the CIFS server and false if it is disabled.

Example

The following example enables required SMB encryption for incoming SMB traffic for the CIFS server on SVM vs1:

cluster1::> vserver cifs security modify -vserver vs1 -is-smb-encryption-required true

cluster1::> vserver cifs security show -vserver vs1 -fields is-smb-encryption-required
vserver  is-smb-encryption-required
-------- -------------------------
vs1      true