This section explains how to manage SMB3 encryption for individual shares or entire clusters in Qumulo Core 2.14 (and higher).

To confirm the settings for your cluster from the Qumulo Core Web UI, click Sharing > SMB Shares > SMB Settings. By default, Qumulo Core supports AES-128-GCM and AES-128-CCM encryption, sets cluster-level SMB encryption to None and share-level encryption to Unencrypted.

For all clusters created by using Qumulo Core 3.1.5 (and higher), Qumulo Core enables at-rest encryption automatically.

How Cluster-Level and Share-Level Encryption Settings Interact in Qumulo Core

The following table explains the possible levels of encryption of clusters and shares and the relationships between them.

Cluster Encryption Level Unencrypted Share Encrypted Share
No Encryption Clients can send unencrypted or encrypted packets
  • Clients must send encrypted packets
  • Unencrypted clients are disconnected
Prefer Encryption Client can send unencrypted or encrypted packets.
  • Clients must send encrypted packets
  • Unencrypted clients are disconnected
Require Encryption
  • Clients must send encrypted packets
  • Unencrypted clients are disconnected
  • Clients must send encrypted packets
  • Unencrypted clients are disconnected

Configuring Cluster-Level and Share-Level Encryption

This section explains how to configure cluster-level encryption in Qumulo Core by using the Qumulo Core Web UI and qq CLI and how to configure share-level encryption by using the qq CLI.

To Configure Cluster-Level Encryption by Using the Qumulo Core Web UI

  1. Log in to the Qumulo Core Web UI.

  2. Click Cluster > SMB Settings.

  3. On the SMB Settings page, select an encryption level.

    The Qumulo Core Web UI shows any unencrypted shares on your cluster.

  4. Click Configure SMB.

To Configure Cluster-Level and Share-Level Encryption by Using the qq CLI

For information about configuring cluster-level and share-level encryption by using the qq CLI, see the following sections in the Qumulo qq CLI Command Guide.

Disabling SMB3 Negotiation to Improve Workload Performance

Clients that connect to your cluster can send encrypted or unencrypted packets when your cluster doesn’t require encryption. In certain scenarios, compared to unencrypted configurations, while workflows triggered by pipelines can experience a slight performance degradation, synchronized operations can experience a more significant drop in performance.

To avoid potential performance impact, you can prohibit Qumulo Core from advertising its encryption capabilities by turning off SMB3 negotiation.

For more information, see qq smb_modify_settings in the Qumulo qq CLI Command Guide.

Checking Encryption of SMB3 Session

To check whether an SMB3 client session is encrypted, run the Get-SmbConnection PowerShell command. For example:

Get-SmbConnection | Select-Object -property *

The following is example output.

SmbInstance : Default
ContinuouslyAvailable : False
Credential : SILENCE\jcage
Dialect : 3.0
Encrypted : False
NumOpens : 2
Redirected : False
ServerName : qq
ShareName : Files
Signed : True
UserName : SILENCE\jcage
PSComputerName :
CimClass : ROOT/Microsoft/Windows/SMB:MSFT_SmbConnection
CimInstanceProperties : {ContinuouslyAvailable, Credential, Dialect, Encrypted...}
CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties