Steve Lumponalog
Dabbler
- Joined
- Dec 26, 2013
- Messages
- 18
I'm running FreeNAS 9.3 stable, with CIFS shares to Windows, Mac, and Linux systems. Looking at the SMB traffic in Wireshark, I see that all traffic -- except for the share password -- is sent in plain text: authentication username, domain, directory listings, and file contents.
This isn't really a big deal for me, as my WiFi is encrypted, and my network uses smart switches. To be compromised, I'd probably need to have a process with elevated privileges running on a machines reading a sensitive file over SMB. Unlikely, but not impossible, so it nags at me because I know that Microsoft added AES transport encryption in CIFS 3, as detailed on this page under the heading "SMB encryption in Windows 8 and Server 2012". Extract:
Is the ability to encrypt SMB traffic in transit unique to Windows, or can it be done by FreeNAS too?
Stack Overflow suggests that adding server signing = mandatory to smb.conf might force SMB transport to be encrypted, though doing that on the client (Fedora 21) didn't make any difference for me. It it possible and advisable to try adding that to smb.conf (or its equivalent) on FreeNAS?
Another suggestion says that adding -e or --encrypt to the smbclient options should force clients to use encryption. It does work, but I don't really want to use smbclient -- it's an FTP-like command-line utility, and I'd like to mount shares on my desktop using box-standard Finder, File Explorer, or Thundar, and feel easy that the transport is being encrypted.
I've got a kick-ass Xeon in my FreeNAS box with plenty of cycles to spare. Is there any way to get FreeNAS to force encrypted SMB on all its clients, or should I start looking at alternatives like sshfs?
This isn't really a big deal for me, as my WiFi is encrypted, and my network uses smart switches. To be compromised, I'd probably need to have a process with elevated privileges running on a machines reading a sensitive file over SMB. Unlikely, but not impossible, so it nags at me because I know that Microsoft added AES transport encryption in CIFS 3, as detailed on this page under the heading "SMB encryption in Windows 8 and Server 2012". Extract:
SMB 3.0 in Windows 8 and Server 2012 has the ability to encrypt the SMB data while it’s in transit, at a much lower cost than deploying other in-transit encryption solutions such as IPsec. Encryption in transit protects the communications from eavesdropping if intercepted as it passes through the network.
You can enable SMB encryption for specific shares in Server 2012 via the File and Storage Services in Server Manager. You can do it when you create a new file share via the New Share Wizard, as shown in Figure 4.
You can enable SMB encryption for specific shares in Server 2012 via the File and Storage Services in Server Manager. You can do it when you create a new file share via the New Share Wizard, as shown in Figure 4.
Is the ability to encrypt SMB traffic in transit unique to Windows, or can it be done by FreeNAS too?
Stack Overflow suggests that adding server signing = mandatory to smb.conf might force SMB transport to be encrypted, though doing that on the client (Fedora 21) didn't make any difference for me. It it possible and advisable to try adding that to smb.conf (or its equivalent) on FreeNAS?
Another suggestion says that adding -e or --encrypt to the smbclient options should force clients to use encryption. It does work, but I don't really want to use smbclient -- it's an FTP-like command-line utility, and I'd like to mount shares on my desktop using box-standard Finder, File Explorer, or Thundar, and feel easy that the transport is being encrypted.
I've got a kick-ass Xeon in my FreeNAS box with plenty of cycles to spare. Is there any way to get FreeNAS to force encrypted SMB on all its clients, or should I start looking at alternatives like sshfs?