SMB3 Encryption support

File Service Administration Guide for Hitachi NAS Platform

Version
14.9.x
Audience
anonymous
Part Number
MK-92HNAS006-31

SMB Encryption provides end-to-end encryption of SMB data and protects against potential eavesdropping attacks on untrusted networks. Consider using SMB3 Encryption for any scenario in which sensitive data needs protection from man-in-the-middle (MITM) attacks.

SMB3 Encryption uses the Advanced Encryption Standard (AES)-CCM algorithm for both encryption and signing.

The main benefits of SMB3 Encryption are:
  • No deployment requirements other than changing the SMB server settings.
  • No dedicated hardware requirements unlike most storage area networks (SANs).
  • Provides secure access to the server and shares.
  • Protects data from eavesdropping attacks on untrusted networks.
  • Provides end-to-end data encryption in-flight.

SMB3 Encryption is available only if the EVS is configured for version 3 of the SMB protocol. To set the version, use the smb-max-supported-version 3 command.

CAUTION:
SMB3 Encryption can severely impact SMB performance and should be enabled only where it is necessary.

CLI commands

To use SMB3 Encryption, the cifs-auth command must be set to on.

Use the following commands to enable or disable SMB3 Encryption on an EVS:

  • smb3-encryption-enable

    Enables encryption on the current EVS.

  • smb3-encryption-disable

    Disables encryption on the current EVS.

Use the following options on the cifs-share command to enable or disable encryption on a share:
  • --encrypt-data

    Enables encrypted client access to a share.

  • --no-encrypt-data

    Disables encrypted client access to a share.

Note: Always disable share-level encryption before you downgrade to a pre-feature build to prevent the share being deleted.
SMB2 clients cannot connect to a server or share that requires encryption. Use the following commands together with the smb3-encryption and cifs-share commands to allow or reject unencrypted access for SMB2 clients:
  • smb3-reject-unencrypted-access-enable

    Rejects unencrypted client access to the current EVS.

  • smb3-reject-unencrypted-access-disable

    Allows unencrypted client access to the current EVS.

Notes:
  • SMB3 Encryption does not affect SMB1 clients. To prevent access by SMB1 clients, you must turn off the SMB1 server by using the smb-min-supported-version 2 command.
  • Some Remote Procedure Call (RPC) virus scanners are not compatible with SMB3 Encryption and will not work with smb3-reject-unencrypted-access enabled. Check with your virus scanner vendor for information about compatibility.

For more information about the CLI commands, see the Command Line Reference.