IN THIS ARTICLE
Outlines how to configure SMB3 encryption with Qumulo Core
- Cluster running Qumulo Core 2.14.0 or later
- Command line (CLI) tools installed via API & Tools tab
SMB3 introduces encryption to the SMB protocol at a cluster-wide level or at a per-share level. Depending on your environment and workflow, you can configure per-share level encryption instead of the cluster-wide setting so that a client can use encryption against a single share that requires it and connect to a share that does not in the same session.
Keep in mind that while these settings can be controlled, SMB clients can still decide whether or not to encrypt even when encryption is not required.
NOTE: By default, the cluster level setting is set to no encryption and the per-share setting is set to unencrypted.
Interactions between Cluster and Per-share Level Encryption
Cluster-wide encryption can be configured in one of three ways: no encryption, prefer encryption, and require encryption. When cluster-wide encryption is disabled, clients can send unencrypted or encrypted packets unless connected to an encrypted share. If the client is connected to an encrypted share, only encrypted packets are permitted. When cluster level encryption is set to preferred, clients can send either encrypted or unencrypted packets unless they are connecting to an encrypted share, in which case they must send encrypted traffic. If cluster level encryption is required, clients must send only encrypted packets regardless of per-share settings.
The following table details the interactions between cluster level encryption and per-share level encryption:
|Cluster Encryption Level||Unencrypted Share||Encrypted Share|
|No Encryption||Client can send unencrypted or encrypted packets.||Client must send encrypted packets. Unencrypted clients will be disconnected.|
|Prefer Encryption||Client can send unencrypted or encrypted packets.||Client must send encrypted packets. Unencrypted clients will be disconnected.|
|Require Encryption||Client must send encrypted packets. Unencrypted clients will be disconnected.||Client must send encrypted packets. Unencrypted clients will be disconnected.|
Configure Cluster Level Encryption via QQ CLI
No Encryption: Encryption is disabled and not advertised to clients.
qq smb_modify_settings --encryption-mode NONE
Prefer Encryption: Encryption is enabled. Clients can connect unencrypted.
qq smb_modify_settings --encryption-mode PREFER
Require Encryption: Encryption is required. Clients incapable of encryption will not be able to connect.
qq smb_modify_settings --encryption-mode REQUIRE
Configure Per-share Level Encryption via QQ CLI
Unencrypted: Encryption is disabled. Clients can connect to the share encrypted and unencrypted.
qq smb_mod_share --name SHARE NAME --require-encryption FALSE
Encrypted: Encryption is required. Clients incapable of encryption will not be able to connect.
qq smb_mod_share --name SHARE NAME --require-encryption TRUE
TIP! The share id can be used by replacing --name with --id in the commands above.
Disable SMB3 Negotiation for Performance
It’s important to note that a client can decide to encrypt even with the minimal settings configured. Performance may be impacted when clients are sending encrypted packets, especially in environments where IO is not pipelined. To avoid this potential performance impact, you can disable SMB3 negotiation to prohibit advertising the encryption capability.
To disable SMB3 negotiation, use the following command to remove SMB3 from the supported dialects list:
qq smb_modify_settings --supported-dialects SMB2_DIALECT_2_1
If you need to re-enable SMB3 negotiation, you can run the following to include SMB3 and SMB2.1 in the supported dialects list:
qq smb_modify_settings --supported-dialects SMB2_DIALECT_2_1 SMB2_DIALECT_3_0
You should now be able to successfully configure cluster and per-share level encryption for SMB3 with Qumulo Core
Like what you see? Share this article with your network!