SMB Protocol-Level Security

Message Signing

SMB message signing is a security mechanism designed to ensure the integrity and authenticity of messages exchanged between clients and servers. When messages are signed, the recipient can verify that messages have not been tampered with in transit. The message signature is a cryptographic hash, generated from the session key (derived from the user's credentials at the time of connection) and the message content, ensuring any modifications are detected.

The message signing algorithm depends on the SMB dialect:

• SMB2: Utilizes HMAC-SHA256.
• SMB3: Utilizes AES-CMAC or AES-GMAC for enhanced security.

By default, Fusion File Share Server mirrors the client's message signing preference. If the client sends a signed message, the server responds with signed messages. If the client sends an unsigned message, the server responds with unsigned messages.

However, if configured to require message signing, the server will drop unsigned messages from clients, and won't respond to them.

Global Parameter Enabling/Disabling Message Signing Requirement

• Configuration file's [global] section: require_message_signing
• tsmb-cfg global update: --require-signing
• tsmb-cfg global add and tsmb-cfg global del: Not supported

Value Type: boolean

Value Format: true|false

• true: Requires all incoming SMB messages to be signed, and drops any unsigned messages.
• false: Allows unsigned messages to be processed.

Default Value: false

Configuring Message Signing Behavior Using the Configuration File

To configure message signing behavior using the configuration file, set the require_message_signing parameter to true or false in the [global] section. For example:

[global]
. . .
require_message_signing = true
. . .
[/global]

Encryption in Transit

Access to SMB shares can be encrypted to secure data in transit. When clients that support encryption send encrypted requests, Fusion File Share Server responds with encrypted messages.

However, Fusion File Share Server can be configured to encrypt all outgoing SMB messages, regardless of the client's preference. This can be configured globally or on a per-share basis.

Fusion File Share Server can also be configured to:

• Encrypt all outgoing SMB messages, regardless of the client's preference (configurable globally or per share).
• Reject unencrypted SMB messages from clients (configurable globally only).

Required SMB Dialect: SMB 3.1.1

Global Parameter Enabling Encryption for All Shares

• Configuration file's [global] section: encrypt_data
• tsmb-cfg global update: --encrypt
• tsmb-cfg global add and tsmb-cfg global del: Not supported

Overridden by Per-Share Parameter: encrypt_data

Value Type: boolean

Value Format: true|false

• true: enable encryption in transit for all shares.
• false: disable encryption in transit for all shares.

Default Value: false

Share Parameter Toggling Encryption for a Specific Share

• Configuration file's [share] section: encrypt_data
• tsmb-cfg share add: --encrypt
• tsmb-cfg share update: --encrypt

Overrides Global Parameter: encrypt_data

Value Type: boolean

Value Format: true|false

• true: enable data transfer encryption on the share.
• false: disable data transfer encryption on the share.

Default Value: as set in the global configuration.

Global Parameter Rejecting Unencrypted Access

• Configuration file's [global] section: reject_unencrypted_access
• tsmb-cfg global update: Not supported
• tsmb-cfg global add and tsmb-cfg global del: Not supported

Value Type: boolean

Value Format: true|false

• true: Causes the server to reject all unencrypted messages from clients.
• false: Allows processing unencrypted messages from clients.

Default Value: false

Enabling Encryption in Transit Globally Using the Configuration File

To enable encryption in transit for all shares, set the encrypt_data parameter in the [global] section of the configuration file to true:

[global]
. . .
encrypt_data = true
. . .
[/global]

Requiring Encryption for All Shares Using the Configuration File

To reject unencrypted access to all shares, set the reject_unencrypted_access parameter in the [global] section of the configuration file to true:

[global]
. . .
reject_unencrypted_access = true
. . .
[/global]

Setting Encryption on a Share Using the Configuration File

If the global setting for encryption in transit is set to false (or omitted), enable encryption for a specific share by setting the encrypt_data parameter in the [share] section to true, as shown below:

[global]
. . .
encrypt_data = false
. . .
[/global]

[share]
netname = MyShare
path = /export/share
encrypt_data = true
[/share]

If the global setting for encryption in transit is set to true, but you want to disable encryption for a specific share, set the encrypt_data parameter in the [share] section to false, as shown below:

[global]
. . .
encrypt_data = true
. . .
[/global]

[share]
netname = MyShare
path = /export/share
encrypt_data = false
[/share]

Adding a Share with Encryption Using the CLI

When adding a share via the CLI, specify the encryption setting using the -e or --encrypt-data parameter. For example:

sudo tsmb-cfg share add -n MyShare -p /export/share -e true

Updating a Share's Encryption Setting Using the CLI

To update a share's encryption setting via the CLI, use the tsmb-cfg share update command with the -e or --encrypt-data parameter. For example:

sudo tsmb-cfg share update -n MyShare -e true