Home > Storage > PowerScale (Isilon) > Product Documentation > Protocols > Dell PowerScale: Solution Design and Considerations for SMB Environments > SMB encryption
OneFS 8.1.1 and above provide SMB encryption to secure access to data over untrusted networks by providing over the wire encryption between the client and PowerScale cluster. It is an on-wire data encryption which prevents an attacker from tampering with any data packet in transit without needing an extra infrastructure.
SMB encryption can be used by any clients which support SMB3 encryption from Windows Server 2012, 2012R2, 2016, Windows Client 8, and Windows 10 and does not require any extra infrastructure management. PowerScale can also be configured to allow accepting or rejecting the old clients that lack the SMB encryption support access.
Figure 18 shows the different client connection behavior after enabling SMB encryption on PowerScale cluster. In this configuration, Windows 7 client connection is rejected because it lacks the SMB encryption support. Windows 10 client data access will be encrypted on the wire to protect data against snooping.
The encryption algorithm of Windows Server 2012 R2 (or Windows 8) and Windows 2016 (or Windows 10) are different. There are currently three SMB3 dialects which are all supported by PowerScale OneFS 8.1.1 and above:
SMB encryption has been enhanced in SMB 3.1.1. The AES-128-GCM mode offers a significant performance gain comparing to SMB 3.0.x. On the PowerScale side, the encryption and decryption happen in the kernel level with Intel CPU extensions for hardware acceleration to gain a performance benefit for next generation PowerScale clusters. It can be easily managed at the global, access zone and individual share level on Dell PowerScale:
These are some key considerations that we recommend during the design and implementation: