Print Email PDF

SMB3 Encryption with Qumulo Core

IN THIS ARTICLE 

Outlines how to configure SMB3 encryption with Qumulo Core

REQUIREMENTS

  • Cluster running Qumulo Core 2.14.0 or later (2.14.3 for Web UI)
  • Command line (CLI) tools installed via API & Tools tab

PROCESS

SMB3 introduces encryption to the SMB protocol at a cluster-wide level or at a per-share level. Depending on your environment and workflow, you can configure per-share level encryption instead of the cluster-wide setting so that a client can use encryption against a single share that requires it and connect to a share that does not in the same session.

Keep in mind that while these settings can be controlled, SMB clients can still decide whether or not to encrypt even when encryption is not required. 

Notes

  • By default, Qumulo Core sets the cluster-level SMB in-flight encryption to None and the per-share setting to Unencrypted. To confirm the Cluster-Wide Encryption setting in the Web UI, click Sharing > SMB Shares > SMB Settings.
  • If you need cluster-level SMB in-flight encryption, or if the Require Encryption setting is enabled for a specific SMB share, it isn't necessary to use signing as a protection mechanism on the share.
  • Qumulo Core enables at-rest data encryption globally for all new clusters created with Qumulo Core 3.1.5 (and higher).

Interactions between Cluster and Per-share Level Encryption

Cluster-wide encryption can be configured in one of three ways: no encryption, prefer encryption, and require encryption. When cluster-wide encryption is disabled, clients can send unencrypted or encrypted packets unless connected to an encrypted share. If the client is connected to an encrypted share, only encrypted packets are permitted. When cluster level encryption is set to preferred, clients can send either encrypted or unencrypted packets unless they are connecting to an encrypted share, in which case they must send encrypted traffic. If cluster level encryption is required, clients must send only encrypted packets regardless of per-share settings.

The following table details the interactions between cluster level encryption and per-share level encryption:

Cluster Encryption Level Unencrypted Share Encrypted Share
No Encryption Client can send unencrypted or encrypted packets. Client must send encrypted packets. Unencrypted clients will be disconnected.
Prefer Encryption Client can send unencrypted or encrypted packets. Client must send encrypted packets. Unencrypted clients will be disconnected.
Require Encryption Client must send encrypted packets. Unencrypted clients will be disconnected. Client must send encrypted packets. Unencrypted clients will be disconnected.


Configure Cluster Level Encryption via Web UI

  1. Hover over the Cluster menu and select SMB Settings.

    smb_settings_menu.png
  2. Click Edit to view the available encryption levels.

    configure_smb_settings.png
  3. Select the encryption level desired.
    • When unencrypted shares are present, they are displayed below the encryption selections. Click the View [x] unencrypted share button on the right to view them.
  4. Click Configure SMB to save the changes.

Configure Cluster Level Encryption via QQ CLI

No Encryption: Encryption is disabled and not advertised to clients.

qq smb_modify_settings --encryption-mode NONE

Prefer Encryption: Encryption is enabled. Clients can connect unencrypted.

qq smb_modify_settings --encryption-mode PREFER

Require Encryption: Encryption is required. Clients incapable of encryption will not be able to connect.

qq smb_modify_settings --encryption-mode REQUIRE

Tip: To find out if the client SMB3 session is encrypted, run the Windows PowerShell script below from the client side to find out SMB session details, including encryption status:

Get-SmbConnection | Select-Object -property *

Sample Output
SmbInstance : Default
ContinuouslyAvailable : False
Credential : QUMULOTEST.LOCAL\spiderman
Dialect : 3.0
Encrypted : False
NumOpens : 2
Redirected : False
ServerName : qq
ShareName : Files
Signed : True
UserName : QUMULOTEST\spiderman
PSComputerName :
CimClass : ROOT/Microsoft/Windows/SMB:MSFT_SmbConnection
CimInstanceProperties : {ContinuouslyAvailable, Credential, Dialect, Encrypted...}
CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties

Configure Per-share Level Encryption via QQ CLI

Unencrypted: Encryption is disabled. Clients can connect to the share encrypted and unencrypted.

qq smb_mod_share --name SHARE NAME --require-encryption FALSE

Encrypted: Encryption is required. Clients incapable of encryption will not be able to connect.

qq smb_mod_share --name SHARE NAME --require-encryption TRUE

TIP! The share id can be used by replacing --name with --id in the commands above.

Disable SMB3 Negotiation for Performance

It’s important to note that a client can decide to encrypt even with the minimal settings configured. Compared to unencrypted configurations, pipelined workflows may see a mild performance degradation of 10% to 15%, while synchronized operations may experience a 50% to 65% drop in performance. Keep in mind that performance is highly workload-dependent so you may see different results.

As we iterate our implementation in later releases, you can expect to see performance results improve. In the meantime, you can avoid this potential performance impact by disabling SMB3 negotiation to prohibit advertising the encryption capability.

To disable SMB3 negotiation, use the following command to remove SMB3 from the supported dialects list:

qq smb_modify_settings --supported-dialects SMB2_DIALECT_2_1

If you need to re-enable SMB3 negotiation, you can run the following to include SMB3 and SMB2.1 in the supported dialects list:

qq smb_modify_settings --supported-dialects SMB2_DIALECT_2_1 SMB2_DIALECT_3_0

RESOLUTION

You should now be able to successfully configure cluster and per-share level encryption for SMB3 with Qumulo Core

ADDITIONAL RESOURCES

QQ CLI: SMB Shares 

 

Like what you see? Share this article with your network!

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Have more questions?
Open a Case
Share it, if you like it.