This section explains how to manage SMB3 encryption for individual shares or entire clusters in Qumulo Core 2.14 (and higher).
To confirm the settings for your cluster from the Qumulo Core Web UI, click Sharing > SMB Shares > SMB Settings. By default, Qumulo Core supports AES-128-GCM and AES-128-CCM encryption, sets cluster-level SMB encryption to None and share-level encryption to Unencrypted.
For all clusters created by using Qumulo Core 3.1.5 (and higher), Qumulo Core enables at-rest encryption automatically.
- Clients that connect to your cluster can send encrypted or unencrypted packets when your cluster doesn't require encryption.
- It isn't necessary to use signing as a share-level protection mechanism if you set Require Encryption for a specific SMB share or if you configure cluster-level SMB encryption.
How Cluster-Level and Share-Level Encryption Settings Interact in Qumulo Core
The following table explains the possible levels of encryption of clusters and shares and the relationships between them.
| Cluster Encryption Level | Unencrypted Share | Encrypted Share |
|---|---|---|
| No Encryption | Clients can send unencrypted or encrypted packets |
|
| Prefer Encryption | Client can send unencrypted or encrypted packets. |
|
| Require Encryption |
|
|
Configuring Cluster-Level and Share-Level Encryption
This section explains how to configure cluster-level encryption in Qumulo Core by using the Web UI and qq CLI and how to configure share-level encryption by using the qq CLI.
To Configure Cluster-Level Encryption by Using the Qumulo Core Web UI
-
Log in to the Qumulo Core Web UI.
-
Click Cluster > SMB Settings.
-
On the SMB Settings page, select an encryption level.
The Web UI shows any unencrypted shares on your cluster.
-
Click Configure SMB.
To Configure Cluster-Level and Share-Level Encryption by Using the qq CLI
For information about configuring cluster-level and share-level encryption by using the qq CLI, see the following sections in the Qumulo qq CLI Command Guide.
-
Cluster-Level Encryption:
qq smb_modify_settings -
Share-Level Encryption:
qq smb_mod_share
Disabling SMB3 Negotiation to Improve Workload Performance
Clients that connect to your cluster can send encrypted or unencrypted packets when your cluster doesn’t require encryption. In certain scenarios, compared to unencrypted configurations, while workflows triggered by pipelines can experience a slight performance degradation, synchronized operations can experience a more significant drop in performance.
To avoid potential performance impact, you can prohibit Qumulo Core from advertising its encryption capabilities by turning off SMB3 negotiation.
For more information, see qq smb_modify_settings
in the Qumulo qq CLI Command Guide.
Checking Encryption of SMB3 Session
To check whether an SMB3 client session is encrypted, run the Get-SmbConnection PowerShell command. For example:
Get-SmbConnection | Select-Object -property *
The following is example output.
SmbInstance : Default
ContinuouslyAvailable : False
Credential : SILENCE\jcage
Dialect : 3.0
Encrypted : False
NumOpens : 2
Redirected : False
ServerName : qq
ShareName : Files
Signed : True
UserName : SILENCE\jcage
PSComputerName :
CimClass : ROOT/Microsoft/Windows/SMB:MSFT_SmbConnection
CimInstanceProperties : {ContinuouslyAvailable, Credential, Dialect, Encrypted...}
CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties