SMB Encryption provides end-to-end encryption of SMB data and protects against potential eavesdropping attacks on untrusted networks. Consider using SMB3 Encryption for any scenario in which sensitive data needs protection from man-in-the-middle (MITM) attacks.
SMB3 Encryption uses the Advanced Encryption Standard (AES)-CCM algorithm for both encryption and signing.
- No deployment requirements other than changing the SMB server settings.
- No dedicated hardware requirements unlike most storage area networks (SANs).
- Provides secure access to the server and shares.
- Protects data from eavesdropping attacks on untrusted networks.
- Provides end-to-end data encryption in-flight.
SMB3 Encryption is available only if the EVS is configured for version 3 of the SMB protocol. To set the version, use the smb-max-supported-version 3 command.
CLI commands
To use SMB3 Encryption, the cifs-auth command must be set to on.
Use the following commands to enable or disable SMB3 Encryption on an EVS:
- smb3-encryption-enable
Enables encryption on the current EVS.
- smb3-encryption-disable
Disables encryption on the current EVS.
- --encrypt-data
Enables encrypted client access to a share.
- --no-encrypt-data
Disables encrypted client access to a share.
- smb3-reject-unencrypted-access-enable
Rejects unencrypted client access to the current EVS.
- smb3-reject-unencrypted-access-disable
Allows unencrypted client access to the current EVS.
- SMB3 Encryption does not affect SMB1 clients. To prevent access by SMB1 clients, you must turn off the SMB1 server by using the smb-min-supported-version 2 command.
- Some Remote Procedure Call (RPC) virus scanners are not compatible with SMB3 Encryption and will not work with smb3-reject-unencrypted-access enabled. Check with your virus scanner vendor for information about compatibility.
For more information about the CLI commands, see the Command Line Reference.