Dell VNX5800 VNX Series: Introduction to SMB 3.0 Support - Page 20

Figure 12 Location of SMB Encryption values in the Registry On VNX, encryption can also be enabled at the share-level by using the type=Encrypted export option. Once encryption is enabled, the SMB payload is encrypted only when an encrypted share is accessed. You can also use the RejectUnencryptedAccess value with the type=Encrypted export option to control the behavior when a pre-SMB 3.0 client attempts to access it. Encryption keys Incoming and outgoing traffic are encrypted using two different secret keys. Both are computed once the user is authenticated successfully. The encryption and decryption 16-byte keys are generated using the KDF algorithm in Counter Mode. SMB messages on the network are encrypted between the client and server using the AES128-CCM cryptographic algorithm, as described in RFC4309 and RFC3610. The format of the encrypted messages consists of an SMB 2 TRANSFORM_HEADER header followed by the payload. Any SMB 2 message can be encrypted, except SMB 2_NEGOTIATE and SMB 2_SESSION_SETUP. Enabling encryption To enable encryption on a share, export it with the type=Encrypted export option as shown in Figure 13. This is a CLI only procedure. Figure 13 Enabling Encryption on a Share EMC VNX Series: Introduction to SMB 3.0 Support 20