Windows: Setting up “In-Motion” encryption on SMB-based files

11/27/19

One of the many additions in recent year since 2012 is the option to provide “In-Motion” encryption of files from a Windows Server (2012 or newer) File Server’s SMB-mappings.

I love doing AES-256 bit encryption at rest and making the storage fabric between arrays and servers as secure as possible with things like OOB switches, Disabled ports, CHAP, ACL’s, changed default ports, Zoning, and Masking but the addition to Microsoft default-based “In-Motion” encryption is truly welcome.

In the past you’d have to deploy a PKI-based certificate just to encrypt the data “In-Motion” or have a very expensive INE or HAIPE.

The kool thing with SMB Encryption is it provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on untrusted networks, including your assumed trustworthy local LAN.

This SMB Encryption provide privacy and integrity of data using AES-CCM; something very important these days!

Below are some commands to enable:

  • Single Folder Encryption:

Set-SmbShare –Name <insert share name here> -EncryptData $true

  • Encryption for the ENTIRE file server and all it’s shares:

Set-SmbServerConfiguration –EncryptData $true

I hope this is helpful to others, as it is for me. We use this a lot for many networks that have strict compliance requirements. This is just one more layer to the “Defense-in-Depth” strategy.

Updated: 1/8/20

SMB v1
Detect:
Get-WindowsFeature FS-SMB1

SMB v2/v3
Detect:
Get-SmbServerConfiguration | Select EnableSMB2Protocol

If this is “True” then it’s already enabled.

if not already enabled:

Set-SmbServerConfiguration –EnableSMB2Protocol $true

-Trevor