Data Backup and Recovery

Client force SMB encryption

ntapAdminUser
3,880 Views

I want to backup SMB shares using a client. Now, this client lives in a different domain and it would be preferred if the data is encrypted.  However, other traffic to this server need not be encrypted. So, is there a way to selectively encrypt the data for a share? Can the client force server to encrypt the data.

2 REPLIES 2

Ontapforrum
3,794 Views

Hi,

 

SMB is a client/server Model, so I don't think client can force it. It's the SMB Server setting that can force encryption and the client must support it.

 

Encryption is provided by the 'Protocol/SMB3.0' itself (@Session/share level), It can either be for all the shares or at individual share. Therefore, whatever Ontap version supports SMB3.0 dialect, you should be able to enable it.

By default, it is disabled (b'cos of possible performance impact).

 

ONTAP (SMB Server): You can configure the desired SMB encryption setting on a share-by-share basis through a share property setting or at SVM level for all the shares.

 

SMB Client: To create an encrypted SMB session, the SMB client must support SMB encryption. Windows clients starting with Windows Server 2012 and Windows 8 support SMB encryption. SMB clients that do not support encryption cannot connect to a SMB server or share that requires encryption.

 

I think it's worth testing to see if there is any serge in CPU at client or storage side due to it, I haven't used it so I can't share first hand experience with you. Following section do talk about it:

 

When SMB sessions use SMB encryption, all SMB communications to and from Windows clients experience a performance impact, which affects both the clients and the server.

 

Performance impact of SMB encryption:
https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.cdot-famg-cifs%2FGUID-EF158266-85EE-4648-8D0F-6F80F0E13DCA.html

 

SMB is well documented in Microsoft docs as well, so testing is worth it.

 

Thanks!

ntapAdminUser
3,769 Views

@Ontapforrum  Thanks for the info. Just want to confirm that we are on the same page:

The command to enable/disable encryption is:

vserver cifs security modify -vserver vserver_name -is-smb-encryption-required true/false

 

Let's say I set it to false (i.e disable encryption for a vserver). If a client wants to negotiate encryption. Will the client be able to negotiate with the server to encrypt the traffic between them? 

The idea is that only one client to the SMB server needs encrypted data. Others clients do not need data to be encrypted. Is this possible? 

Public