SMB Protocol-Level Security

Message Signing

SMB message signing is a security feature that ensures the authenticity of messages exchanged between clients and servers. When a message is signed, the recipient can verify that it has not been altered in transit. The signature is a cryptographic hash generated from the session key (derived from the user's credentials at the time of connection) and the message content, ensuring any tampering is detected.

The hashing algorithm used for message signing depends on the SMB dialect:

• SMB2: Uses HMAC-SHA256.
• SMB3: Uses AES-CMAC or AES-GMAC for enhanced security.

By default, Fusion File Share Server responds in kind to the client's message signing preference. If the client sends a signed message, the server will sign all messages in response. If the client sends an unsigned message, the server will respond with unsigned messages.

However, if configured to require message signing, the server will drop unsigned messages from clients, and won't respond to them.

Global Parameter Enabling/Disabling Message Signing Requirement

• Configuration file's [global] section: require_message_signing
• tsmb-cfg global update: --require-signing
• tsmb-cfg global add and tsmb-cfg global del: Not supported

Value Type: boolean

Value Format: true|false

• true: Requires all incoming SMB messages to be signed, and drops any unsigned messages.
• false: Allows unsigned messages to be processed.

Default Value: false

Configuring Message Signing Requirement Using the Configuration File

To configure the requirement for message signing using the configuration file, set the require_message_signing parameter to true or false in the [global] section. For example:

[global]
. . .
require_message_signing = true
. . .
[/global]

Encryption in Transit

Access to SMB shares can be encrypted to protect data in transit. Clients that support encryption, and send encrypted requests, will receive an encrypted response from Fusion File Share Server.

However, Fusion File Share Server can be configured to encrypt all outgoing SMB messages, regardless of the client's preference. This can be configured globally or on a per-share basis.

Additionally, Fusion File Share Server can be configured to reject unencrypted SMB messages from clients. This option is only available globally.

Required SMB Dialect: SMB 3.1.1

Global Parameter Enabling Encryption for All Shares

• Configuration file's [global] section: encrypt_data
• tsmb-cfg global update: --encrypt
• tsmb-cfg global add and tsmb-cfg global del: Not supported

Overridden by Per-Share Parameter: encrypt_data

Value Type: boolean

Value Format: true|false

• true: enable encryption in transit for all shares.
• false: disable encryption in transit for all shares.

Default Value: false

Share Parameter Toggling Encryption for a Specific Share

• Configuration file's [share] section: encrypt_data
• tsmb-cfg share add: --encrypt
• tsmb-cfg share update: --encrypt

Overrides Global Parameter: encrypt_data

Value Type: boolean

Value Format: true|false

• true: enable data transfer encryption on the share.
• false: disable data transfer encryption on the share.

Default Value: as set in the global configuration.

Global Parameter Rejecting Unencrypted Access

• Configuration file's [global] section: reject_unencrypted_access
• tsmb-cfg global update: Not supported
• tsmb-cfg global add and tsmb-cfg global del: Not supported

Value Type: boolean

Value Format: true|false

• true: Causes the server to reject all unencrypted messages from clients.
• false: Allows processing unencrypted messages from clients.

Default Value: false

Enabling Encryption in Transit Globally Using the Configuration File

To enable encryption in transit for all shares, set the encrypt_data in the [global] section of the configuration file to true:

[global]
. . .
encrypt_data = true
. . .
[/global]

Requiring Encryption for All Shares Using the Configuration File

To reject unencrypted access to all shares, set the reject_unencrypted_access in the [global] section of the configuration file to true:

[global]
. . .
reject_unencrypted_access = true
. . .
[/global]

Setting Encryption on a Share Using the Configuration File

If the global setting for encryption in transit is set to false (or omitted), enable encryption for a specific share by setting the encrypt_data parameter in the [share] section for the share you want to configure to true, similar to the following example:

[global]
. . .
encrypt_data = false
. . .
[/global]

[share]
netname = MyShare
path = /export/share
encrypt_data = true
[/share]

Likewise, if the global setting for encryption in transit is set to true, but you want to disable encryption for a specific share, set the encrypt_data parameter in the [share] section for the share you want to configure to false, similar to the following example:

[global]
. . .
encrypt_data = true
. . .
[/global]

[share]
netname = MyShare
path = /export/share
encrypt_data = false
[/share]

Adding a Share with Encryption Using the CLI

When adding a share using the CLI, you can specify the encryption setting using the -e or --encrypt-data parameter. For example:

sudo tsmb-cfg share add -n MyShare -p /export/share -e true

Updating a Share's Encryption Setting Using the CLI

To update a share's encryption setting using the CLI, use the tsmb-cfg share update command with the -e or --encrypt-data parameter. For example:

sudo tsmb-cfg share update -n MyShare -e true