SMB Encryption
SMB Encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on untrusted networks. You can deploy SMB Encryption with minimal effort, but it may require small additional costs for specialized hardware or software. It has no requirements for Internet Protocol security (IPsec) or WAN accelerators. SMB Encryption can be configured on a per share basis or for the entire file server, and it can be enabled for a variety of scenarios where data traverses untrusted networks.
NOTE:
SMB Encryption does not cover security at rest, which is typically handled by BitLocker Drive Encryption.
SMB Encryption should be considered for any scenario in which sensitive data needs to be protected from man-in-the-middle attacks. Possible scenarios include:
• An information worker’s sensitive data is moved by using the SMB protocol. SMB Encryption offers an end-to-end privacy and integrity assurance between the file server and the client, regardless of the networks traversed, such as wide area network (WAN) connections that are maintained by non-Microsoft providers.
• SMB 3.0 enables file servers to provide continuously available storage for server applications, such as SQL Server or Hyper-V. Enabling SMB Encryption provides an opportunity to protect that information from snooping attacks. SMB Encryption is simpler to use than the dedicated hardware solutions that are required for most storage area networks (SANs).
Important:
You should note that there is a notable performance operating cost with any end-to-end encryption protection when compared to non-encrypted.
Enable SMB Encryption
You can enable SMB Encryption for the entire file server or only for specific file shares. Use one of the following procedures to enable SMB Encryption:
Enable SMB Encryption with Windows PowerShell
1. To enable SMB Encryption for an individual file share, type the following script on the server:
Set-SmbShare –Name <sharename> -EncryptData $true
2. To enable SMB Encryption for the entire file server, type the following script on the server:
Set-SmbServerConfiguration –EncryptData $true
3. To create a new SMB file share with SMB Encryption enabled, type the following script:
New-SmbShare –Name <sharename> -Path <pathname> –EncryptData $true
Enable SMB Encryption with Server Manager
- In Server Manager, open File and Storage Services.
- Select Shares to open the Shares management page.
- Right-click the share on which you want to enable SMB Encryption, and then select Properties.
- On the Settings page of the share, select Encrypt data access. Remote file access to this share is encrypted.
Official Link HERE
